GHSA-63cx-g855-hvv4: mitmproxy binaries embed a vulnerable python-hyper/h2 dependency

August 25, 2025

mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not affect mitmproxy’s regular mode.

All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.

More details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.

References

github.com/advisories/GHSA-63cx-g855-hvv4
github.com/mitmproxy/mitmproxy
github.com/mitmproxy/mitmproxy/security/advisories/GHSA-63cx-g855-hvv4
github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h

Code Behaviors & Features

Detect and mitigate GHSA-63cx-g855-hvv4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →