CVE-2022-24766

Advisory

Mitmproxy 8.0.0 includes a fix for CVE-2022-24766: Insufficient Protection against HTTP Request Smuggling.
https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Major Changes

* Major improvements to the web interface (gorogoroumaru)
* Event hooks can now be async (nneonneo, [5106](https://github.com/mitmproxy/mitmproxy/issues/5106))
* New [`tls_{established,failed}_{client,server}` event hooks](https://docs.mitmproxy.org/dev/api/events.html#TLSEvents)
to record negotiation success/failure (mhils, [4790](https://github.com/mitmproxy/mitmproxy/pull/4790))

Security Fixes

* [CVE-2022-24766](https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3):
Fix request smuggling vulnerability reported by zeyu2001 (mhils)

Full Changelog

* Support proxy authentication for SOCKS v5 mode (starplanet)
* Make it possible to ignore connections in the tls_clienthello event hook (mhils)
* fix some responses not being decoded properly if the encoding was uppercase (4735, Mattwmaster58)
* Trigger event hooks for flows with semantically invalid requests, for example invalid content-length headers (mhils)
* Improve error message on TLS version mismatch (mhils)
* Windows: Switch to Python's default asyncio event loop, which increases the number of sockets
that can be processed simultaneously (mhils)
* Add `client_replay_concurrency` option, which allows more than one client replay request to be in-flight at a time. (rbdixon)
* New content view which handles gRPC/protobuf. Allows to apply custom definitions to visualize different field decodings.
Includes example addon which applies custom definitions for selected gRPC traffic (mame82)
* Fix a crash caused when editing string option (4852, rbdixon)
* Base container image bumped to Debian 11 Bullseye (Kriechi)
* Upstream replays don't do CONNECT on plaintext HTTP requests (4876, HoffmannP)
* Remove workarounds for old pyOpenSSL versions (4831, KarlParkinson)
* Add fonts to asset filter (~a) (4928, elespike)
* Fix bug that crashed when using `view.flows.resolve` (4916, rbdixon)
* Fix a bug where `running()` is invoked twice on startup (3584, mhils)
* Correct documentation example for User-Agent header modification (4997, jamesyale)
* Fix random connection stalls (5040, EndUser509)
* Add `n` new flow keybind to mitmweb (5061, ianklatzco)
* Fix compatibility with BoringSSL (pmoulton)
* Added `WebSocketMessage.injected` flag (Prinzhorn)
* Add example addon for saving streamed data to individual files (EndUser509)
* Change connection event hooks to be blocking.
Processing will only resume once the event hook has finished. (Prinzhorn)
* Reintroduce `Flow.live`, which signals if a flow belongs to a currently active connection. (4207, mhils)
* Speculative fix for some rare HTTP/2 connection stalls (5158, EndUser509)
* Add ability to specify custom ports with LDAP authentication (5068, demonoidvk)
* Add support for rotating saved streams every hour or day (EndUser509)
* Console Improvements on Windows (mhils)
* Fix processing of `--set` options (5067, marwinxxii)
* Lowercase user-added header names and emit a log message to notify the user when using HTTP/2 (4746, mhils)
* Exit early if there are errors on startup (4544, mhils)
* Fixed encoding guessing: only search for meta tags in HTML bodies (4566, Prinzhorn)
* Binaries are now built with Python 3.10 (mhils)

Resources

• https://pypi.org/project/mitmproxy
• https://pyup.io/changelogs/mitmproxy/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24766
• https://mitmproxy.org/posts/releases/mitmproxy8/
• https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3
• https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b