Headline
GHSA-7vwr-g6pm-9hc8: Cookie leakage between different users in fastapi-proxy-lib
Impact
In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.
However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.
This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.
Patches
It’s fixed in 0.1.0
Workarounds
If you insist 0.0.1:
- Do not use
ForwardHttpProxyat all. - Do not use
ReverseHttpProxyorReverseWebSocketProxyfor any servers that may potentially send aset-cookieresponse.
However, it’s best to upgrade to the latest version.
References
fixed in #10
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-7vwr-g6pm-9hc8
Cookie leakage between different users in fastapi-proxy-lib
High severity GitHub Reviewed Published Dec 1, 2023 in WSH032/fastapi-proxy-lib • Updated Dec 1, 2023
Package
pip fastapi-proxy-lib (pip)
Affected versions
< 0.1.0
Impact
In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.
However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.
This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.
Patches
It’s fixed in 0.1.0
Workarounds
If you insist 0.0.1:
- Do not use ForwardHttpProxy at all.
- Do not use ReverseHttpProxy or ReverseWebSocketProxy for any servers that may potentially send a set-cookie response.
However, it’s best to upgrade to the latest version.
References
fixed in #10
References
- GHSA-7vwr-g6pm-9hc8
- WSH032/fastapi-proxy-lib#10
Published to the GitHub Advisory Database
Dec 1, 2023