Login Sign Up

CVE-2021-41945

9.1 CRITICAL
SSRF

📋 TL;DR

CVE-2021-41945 is an improper input validation vulnerability in the httpx Python library that allows attackers to manipulate URL parsing to bypass security controls or cause denial of service. It affects applications using httpx for HTTP client operations. Developers using httpx versions below 0.23.0 are impacted.

💻 Affected Systems

Products:
  • httpx
Versions: All versions < 0.23.0
Operating Systems: All operating systems running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Any Python application using httpx.URL, httpx.Client, or functions using httpx.URL.copy_with is vulnerable regardless of configuration.

📦 What is this software?

Httpx by Encode

View all CVEs affecting Httpx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass URL validation, security filters, or access controls, potentially leading to server-side request forgery (SSRF), authentication bypass, or denial of service.

🟠

Likely Case

Most commonly exploited to bypass URL-based security filters, manipulate request routing, or cause application crashes through malformed URLs.

🟢

If Mitigated

With proper input validation and URL sanitization at the application layer, impact is limited to potential minor disruptions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted URLs to vulnerable endpoints. Public proof-of-concept code demonstrates URL manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.23.0

Vendor Advisory: https://github.com/encode/httpx/security/advisories/GHSA-8hfj-vvxq-3p3g

Restart Required: No

Instructions:

1. Update httpx to version 0.23.0 or higher using pip: pip install httpx>=0.23.0
2. Verify no breaking changes in your application
3. Test URL handling functionality

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement custom URL validation before passing to httpx functions

URL Sanitization

all

Sanitize and normalize all URLs before httpx processing

🧯 If You Can't Patch

  • Implement strict input validation for all URL parameters
  • Use web application firewall (WAF) rules to filter suspicious URL patterns

🔍 How to Verify

Check if Vulnerable:

Check httpx version: python -c "import httpx; print(httpx.__version__)" and verify if < 0.23.0

Check Version:

python -c "import httpx; print('httpx version:', httpx.__version__)"

Verify Fix Applied:

After update, verify version is >= 0.23.0 and test URL handling with edge cases

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL patterns in httpx requests
  • Application errors related to URL parsing
  • Unexpected outbound HTTP requests

Network Indicators:

  • HTTP requests with malformed or unusual URL structures
  • Requests bypassing expected URL validation

SIEM Query:

httpx OR python AND (url_validation OR parsing_error) AND version<0.23.0

📊 Metadata

CVE ID: CVE-2021-41945
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-20
Published: April 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41945, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)