VulnerableCode Package Details - pkg:deb/debian/mitmproxy@8.1.1-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-957h-4a8b-67dy Aliases: CVE-2025-23217 GHSA-wg33-5h85-7q5p	Mitmweb API Authentication Bypass Using Proxy Server In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.	8.1.1-4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-957h-4a8b-67dy
Aliases:
CVE-2025-23217
GHSA-wg33-5h85-7q5p

Mitmweb API Authentication Bypass Using Proxy Server In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.

8.1.1-4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8xbk-3z3r-nkfh	mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.	CVE-2022-24766 GHSA-gcx2-gvj7-pxv3 PYSEC-2022-170

Vulnerability

Summary

Aliases

VCID-8xbk-3z3r-nkfh

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.

CVE-2022-24766
GHSA-gcx2-gvj7-pxv3
PYSEC-2022-170

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T19:53:39.318160+00:00	Debian Importer	Affected by	VCID-957h-4a8b-67dy	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:44:47.846364+00:00	Debian Importer	Fixing	VCID-8xbk-3z3r-nkfh	https://security-tracker.debian.org/tracker/data/json	38.6.0

2026-06-04T19:53:39.318160+00:00

Debian Importer

Affected by

VCID-957h-4a8b-67dy

https://security-tracker.debian.org/tracker/data/json

38.6.0

2026-06-04T19:44:47.846364+00:00

Debian Importer

Fixing

VCID-8xbk-3z3r-nkfh

https://security-tracker.debian.org/tracker/data/json

38.6.0

Next non-vulnerable version	8.1.1-4
Latest non-vulnerable version	8.1.1-4
Risk