Source: mitmproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for mitmproxy. CVE-2025-23217[0]: | mitmproxy is a interactive TLS-capable intercepting HTTP proxy for | penetration testers and software developers and mitmweb is a web- | based interface for mitmproxy. In mitmweb 11.1.1 and below, a | malicious client can use mitmweb's proxy server (bound to `*:8080` | by default) to access mitmweb's internal API (bound to | `127.0.0.1:8081` by default). In other words, while the cannot | access the API directly, they can access the API through the proxy. | An attacker may be able to escalate this SSRF-style access to remote | code execution. The mitmproxy and mitmdump tools are unaffected. | Only mitmweb is affected. This vulnerability has been fixed in | mitmproxy 11.1.2 and above. Users are advised to upgrade. There are | no known workarounds for this vulnerability. https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23217 https://www.cve.org/CVERecord?id=CVE-2025-23217 Please adjust the affected versions in the BTS as needed.
