CVE-2024-37891 - Unintended Exposure of Proxy-Authorization Header in urllib3 for Python

urllib3, a user-friendly HTTP client library for Python, is reported to have a low severity security vulnerability due to the unintentional exposure of the Proxy-Authorization header when not using the library's proxy support along with automatic redirects. In order to protect users from potential security ramifications, urllib3 has made updates to strip the Proxy-Authorization header during cross-origin redirects by default. Users are recommended to update to urllib3 version 1.26.19 or 2.2.2 for the best security.

Description of the Vulnerability

Although the Proxy-Authorization header is pivotal when using urllib3's proxy support with ProxyManager, there are instances where this header is accidentally implemented in cases where proxy support isn't even in use. During these scenarios, the presence of the Proxy-Authorization header isn't treated as a relevant authentication detail and isn't automatically stripped during cross-origin redirects. As a result, there is a small chance that sensitive information could be exposed during unintended header configurations.

To demonstrate, here is a code snippet that accidentally sets the Proxy-Authorization header without using a forwarding proxy or a tunneling proxy:

import urllib3

http = urllib3.PoolManager()

headers = {
    'Proxy-Authorization': 'Basic dXNlcm5hbWU6cGFzc3dvcmQ='
}

response = http.request(
    'GET',
    'http://example.com';,
    headers = headers
)

HTTP redirects are not disabled.

3. The server of origin is either not using HTTPS, or the proxy or target origin redirects to a malicious origin.

Mitigation and Recommendations

To protect users, urllib3 will now automatically strip the Proxy-Authorization header during cross-origin redirects. If you are affected by this vulnerability, update to urllib3 version 1.26.19 or 2.2.2 as soon as possible.

For more information and further updates, please refer to the original references

- urllib3 GitHub Repository
- CVE-2024-37891 Advisory

In conclusion, the CVE-2024-37891 vulnerability poses a low risk for most users, but out of an abundance of caution, it's highly recommended to update to the latest, secure version of urllib3 and follow the best practices to ensure the safe handling of the Proxy-Authorization header.

Timeline

Published on: 06/17/2024 20:15:13 UTC
Last modified on: 06/20/2024 12:44:22 UTC