Requests is a popular HTTP library for Python that simplifies the process of making HTTP requests by abstracting the complexities of handling network connections. However, a security vulnerability (CVE-2023-32681) has been discovered in versions since 2.3. of the library, which causes it to leak Proxy-Authorization headers to destination servers in certain cases of redirection to HTTPS endpoints. This issue can potentially expose sensitive proxy credentials to malicious actors and has been fixed in version 2.31..

Vulnerability Details

The vulnerability arises from Requests' handling of rebuild_proxies method, which is used to reattach the Proxy-Authorization header to requests. In the scenario where an HTTP connection is sent through a proxy server (tunnel), the proxy server will recognize and remove the Proxy-Authorization header prior to forwarding the request to the destination server. This ensures that sensitive proxy credentials are not unintentionally leaked.

However, for HTTPS connections, the Proxy-Authorization header has to be sent in the CONNECT request, because the proxy server cannot view the tunneled request. Due to this, when the request is redirected to an HTTPS endpoint, Requests inadvertently forwards the proxy credentials to the destination server.

Here's a code snippet illustrating the issue

import requests

proxies = {
    'http': 'http://user:password@example.com:808';,
    'https': 'https://user:password@example.com:808';,
}

response = requests.get('http://example.org';, proxies=proxies)

In the above example, if example.org redirects to an HTTPS endpoint, the Proxy-Authorization header containing the user's credentials would be forwarded to the destination server.

Exploit and Impact

A malicious actor could potentially exploit this vulnerability by setting up a server to redirect Requests users to an HTTPS endpoint and logging the received Proxy-Authorization headers. This allows them to gain unauthorized access to sensitive proxy credentials and possibly exfiltrate information from the secure network.

Solution and Recommendations

This vulnerability has been patched in Requests version 2.31.. Users are strongly advised to upgrade to this version or later to resolve this security issue.

To upgrade, use the following command

pip install --upgrade requests

You can also verify that you're using the secure version of Requests by checking its version

import requests

print(requests.__version__)

In addition, users are advised to monitor their proxy logs for any unexpected traffic and revoke any potentially compromised proxy credentials.

References

- Requests GitHub Repository
- Requests Release Notes
- Requests Documentation

Conclusion

In this post, we examined the CVE-2023-32681 vulnerability present in Requests versions since 2.3., which causes the Proxy-Authorization header to be leaked to the destination server when redirected to HTTPS endpoints. The vulnerability has been patched in version 2.31., and users are urged to upgrade as soon as possible to minimize security risks. Always ensure that you keep your software dependencies up-to-date, and be diligent in monitoring logs for any potential issues.

Timeline

Published on: 05/26/2023 18:15:00 UTC
Last modified on: 06/02/2023 18:17:00 UTC