7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7vwr-g6pm-9hc8

GHSA-7vwr-g6pm-9hc8: Cookie leakage between different users in fastapi-proxy-lib

Impact

In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.

However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.

This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.

Patches

It's fixed in 0.1.0

Workarounds

If you insist 0.0.1:

Do not use ForwardHttpProxy at all.
Do not use ReverseHttpProxy or ReverseWebSocketProxy for any servers that may potentially send a set-cookie response.

However, it's best to upgrade to the latest version.

References

fixed in #10

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7vwr-g6pm-9hc8

GHSA-7vwr-g6pm-9hc8:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastapi-proxy-lib	pip	< 0.1.0	0.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from shared httpx.AsyncClient usage across requests in proxy handlers. The advisory explicitly mentions ForwardHttpProxy, ReverseHttpProxy, and ReverseWebSocketProxy as affected components. These classes' request handling methods would inherently use the shared client instance. The fix in #10 specifically addresses cookie handling in these proxies, confirming their involvement. High confidence comes from: 1) Direct correlation between described vulnerability pattern and proxy request handling methods 2) Workaround instructions specifically naming these components 3) PR#10's focus on modifying client initialization in these proxies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7vwr-g6pm-9hc8: Cookie leakage between different users in fastapi-proxy-lib

Impact

Patches

Workarounds

References

GHSA-7vwr-g6pm-9hc8:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

GHSA-7vwr-g6pm-9hc8: Cookie leakage between different users in fastapi-proxy-lib

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI