Your message dated Mon, 13 Oct 2025 12:34:22 +0000
with message-id <[email protected]>
and subject line Bug#1103701: fixed in mitmproxy 8.1.1-4
has caused the Debian Bug report #1103701,
regarding mitmproxy: CVE-2025-23217
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1103701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103701
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mitmproxy
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for mitmproxy.
CVE-2025-23217[0]:
| mitmproxy is a interactive TLS-capable intercepting HTTP proxy for
| penetration testers and software developers and mitmweb is a web-
| based interface for mitmproxy. In mitmweb 11.1.1 and below, a
| malicious client can use mitmweb's proxy server (bound to `*:8080`
| by default) to access mitmweb's internal API (bound to
| `127.0.0.1:8081` by default). In other words, while the cannot
| access the API directly, they can access the API through the proxy.
| An attacker may be able to escalate this SSRF-style access to remote
| code execution. The mitmproxy and mitmdump tools are unaffected.
| Only mitmweb is affected. This vulnerability has been fixed in
| mitmproxy 11.1.2 and above. Users are advised to upgrade. There are
| no known workarounds for this vulnerability.
https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23217
https://www.cve.org/CVERecord?id=CVE-2025-23217
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mitmproxy
Source-Version: 8.1.1-4
Done: Gianfranco Costamagna <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mitmproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <[email protected]> (supplier of updated mitmproxy
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Oct 2025 14:09:20 +0200
Source: mitmproxy
Built-For-Profiles: noudeb
Architecture: source
Version: 8.1.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Gianfranco Costamagna <[email protected]>
Closes: 1071640 1103701 1110243
Changes:
mitmproxy (8.1.1-4) unstable; urgency=medium
.
[ Emmanuel Arias ]
* Team upload.
* d/patches/0008-Stop-using-blinker._saferef.patch: Add patch to stop
using blinker._saferef module (Closes: #1071640, #1110243).
* Fix CVE-2025-23217: mitmweb's API now requires an authentication
token by default. While the client cannot access the API directly,
they can access the API through the proxy. An attacker may be able to
escalate this SSRF-style access to remote code execution (Closes:
#1103701).
Checksums-Sha1:
6615b934ddd7762fd1884bf6d576025c948db999 2974 mitmproxy_8.1.1-4.dsc
6bd081352ea4b784e3fdcd019e23e86ee3b3aa0a 15776 mitmproxy_8.1.1-4.debian.tar.xz
fc676697d406366da06140e150218a372714b80b 8084
mitmproxy_8.1.1-4_source.buildinfo
Checksums-Sha256:
3ce0cafe373eb01379d7d643a46786c73fbc142c044579d45725ce576a189cdc 2974
mitmproxy_8.1.1-4.dsc
b382a7a42e9bf0fddae1b9861c17562ac488d49804385165b8fdff607ae85b46 15776
mitmproxy_8.1.1-4.debian.tar.xz
2c7cf559019182483adf7cde8c398c2146f42ed6f6fc3653bc7cc199d4927601 8084
mitmproxy_8.1.1-4_source.buildinfo
Files:
0755cf106d2a86f8b4b850f7ef3c080d 2974 net optional mitmproxy_8.1.1-4.dsc
8ffdf249c4aaf2d3f159f3a96da46eb5 15776 net optional
mitmproxy_8.1.1-4.debian.tar.xz
40c72df30c1e5a4dc2530f3055f8a494 8084 net optional
mitmproxy_8.1.1-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmjs8HcACgkQ808JdE6f
XdmSjg//d4XiVXdp3gr+AasLu0GmCnyusWftgwLuPcZoyM8mpgWRd0ej30PJSgxq
28MYmwlfStz2SeGl8tSx9NEgnz1de+9WYtc3WFnrjXGYfgJLiz3CKrDnG6K0CTkQ
I4tyWNfWMceHQyAz0ytmUdkQx5t4c02kBY/ysUvZ4SRv0HgDGSeYI9RMGoixSYZq
N1t/YypMqKdtfAZCPRL8UcBCnIG7kczPjiOxB1s6HjJcVaVJaYCESeMsZsTF09xD
jWYZbqvWoo7FE/ZLzV8LEEopm8twxer+o7ygmSAAWR4VoqoPoZ2UGX4bCmh4vP1a
rQCM6OCo1JpM+6NFaAe7L9XlVW8f06x8JYj+3ivPlTF2psZTCYrh+JFl0Ogr+2Nx
Eh/o9QMqob5tAjJZPyxWdeX7Xn7JEDFLULBddq2F0D6FA5OxnAnAH5xVpB7DgY+7
SW9WZIRO/eR9LBaASU/dzXio4IvT9SE8GJI/t4mGhvDNO2qigNJ7RnC5RbX8H/yH
r3uWJZdGzZLvLQNwC5Q+NGnOMvNVqa40xD3v4HjaJIRwXNevhHLV1dFRbv/W5GBf
70c3Hwd6GNtYQodrEgs5U3chMwAAZTe3IE3bw5+lHuMfvERJwpRceFdiTWhkiZ7w
OkbOY3t1CfvQ8JdCFnzsrahNrhaKyExvBvmewCSL2VovhIj7czQ=
=Im32
-----END PGP SIGNATURE-----
pgpaiJljUry93.pgp
Description: PGP signature
--- End Message ---
