Login Sign Up

CVE-2022-24766

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2022-24766 is an HTTP request smuggling vulnerability in mitmproxy that allows malicious clients or servers to bypass security controls. Attackers can smuggle hidden HTTP requests through mitmproxy that evade detection and custom security hooks. This affects mitmproxy versions 7.0.4 and below when used with HTTP/1 services.

💻 Affected Systems

Products:
  • mitmproxy
Versions: 7.0.4 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments where mitmproxy is used with HTTP/1 services. HTTP/2 and HTTPS services are not vulnerable.

📦 What is this software?

Mitmproxy by Mitmproxy

View all CVEs affecting Mitmproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass all mitmproxy security controls including authentication, authorization, and input validation, potentially leading to unauthorized access, data exfiltration, or command injection on backend systems.

🟠

Likely Case

Bypass of custom security checks implemented in mitmproxy event hooks, allowing unauthorized requests to reach protected backend services.

🟢

If Mitigated

Limited impact if mitmproxy is only used with HTTP/2 or HTTPS services, or if backend services have their own robust security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.0 and above

Vendor Advisory: https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3

Restart Required: Yes

Instructions:

1. Stop mitmproxy service. 2. Upgrade to mitmproxy 8.0.0 or later using pip: 'pip install --upgrade mitmproxy'. 3. Restart mitmproxy service.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Discontinue use of mitmproxy with HTTP/1 services and migrate to HTTP/2 or HTTPS.
  • Implement additional security controls at the backend service level to validate all incoming requests.

🔍 How to Verify

Check if Vulnerable:

Check mitmproxy version with 'mitmproxy --version'. If version is 7.0.4 or below, system is vulnerable.

Check Version:

mitmproxy --version

Verify Fix Applied:

After upgrade, verify version is 8.0.0 or above with 'mitmproxy --version'.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected HTTP requests appearing in backend server logs that don't appear in mitmproxy logs
  • Requests with unusual Content-Length or Transfer-Encoding headers

Network Indicators:

  • HTTP traffic with inconsistent request/response parsing between mitmproxy and backend servers

SIEM Query:

source="backend_server" http.method=* NOT source="mitmproxy" http.method=* | stats count by http.method, src_ip

📊 Metadata

CVE ID: CVE-2022-24766
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-444
Published: March 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24766, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)