Miggo Logo
Miggo Vulnerability Database
CVE-2021-41945

CVE-2021-41945: Improper Input Validation in httpx

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-41945
GHSA ID
GHSA-h8pj-cxx2-jfg2
EPSS Score
0.65466%
CWE
CWE-20
Published
4/29/2022
Updated
9/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
httpxpip< 0.23.00.23.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from URL.copy_with's improper handling of URI references. The commit diff shows the fix involved replacing direct unsplit() usage with normalization logic. Multiple sources (CVE description, GHSA, PoC) demonstrate that 1) copy_with's unsplit operation caused unexpected normalization 2) This was exploited in Client/Proxy initialization. Though only copy_with is explicitly modified in the patch, Client and Proxy are explicitly listed as vulnerable components in CVE description and PoC examples.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n*o** OSS *ttpx <=*.*.*.**t** is *****t** *y improp*r input v*li**tion in `*ttpx.URL`, `*ttpx.*li*nt` *n* som* *un*tions usin* `*ttpx.URL.*opy_wit*`.

Reasoning

T** *or* vuln*r**ility st*ms *rom URL.*opy_wit*'s improp*r **n*lin* o* URI r***r*n**s. T** *ommit *i** s*ows t** *ix involv** r*pl**in* *ir**t unsplit() us*** wit* norm*liz*tion lo*i*. Multipl* sour**s (*V* **s*ription, **S*, Po*) **monstr*t* t**t *)