Описание
Cookie leakage between different users in fastapi-proxy-lib
Impact
In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.
However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.
This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.
Patches
It's fixed in 0.1.0
Workarounds
If you insist 0.0.1:
- Do not use
ForwardHttpProxyat all. - Do not use
ReverseHttpProxyorReverseWebSocketProxyfor any servers that may potentially send aset-cookieresponse.
However, it's best to upgrade to the latest version.
References
fixed in #10
Пакеты
Наименование
fastapi-proxy-lib
pip
Затронутые версииВерсия исправления
< 0.1.0
0.1.0
7.5 High
CVSS3
7.5 High
CVSS3