CVE-2025-23217: Mitmweb API Authentication Bypass Using Proxy Server
In mitmweb 11.1.0 and below, a malicious client can use mitmweb’s proxy server (bound to *:8080
by default) to access mitmweb’s internal API (bound to 127.0.0.1:8081
by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution.
The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The block_global
option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.
References
- github.com/advisories/GHSA-wg33-5h85-7q5p
- github.com/mitmproxy/mitmproxy
- github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md
- github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a
- github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p
- nvd.nist.gov/vuln/detail/CVE-2025-23217
Detect and mitigate CVE-2025-23217 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →