GMS-2023-5457: Cookie leakage between different users in fastapi-proxy-lib

December 1, 2023

Impact

In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.

However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.

This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.

Patches

It’s fixed in 0.1.0

Workarounds

If you insist 0.0.1:

Do not use ForwardHttpProxy at all.
Do not use ReverseHttpProxy or ReverseWebSocketProxy for any servers that may potentially send a set-cookie response.

However, it’s best to upgrade to the latest version.

References

fixed in #10

References

Detect and mitigate GMS-2023-5457 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →