Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
mitmproxy LDAP proxy authentication allows bypassing security checks
GHSA-527g-3w9m-29hv
Summary
A security issue in mitmproxy's LDAP proxy authentication can allow a malicious client to access a mitmproxy instance without a valid username and password. This issue is fixed in mitmproxy 12.2.2 and above. If you're using LDAP proxy authentication, update to the latest version to stay secure.
What to do
- Update mitmproxy to version 12.2.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| PyPI | – | mitmproxy |
< 12.2.2 Fix: upgrade to 12.2.2
|
| pip | – | mitmproxy |
<= 12.2.1 Fix: upgrade to 12.2.2
|
Original title
mitmproxy has an LDAP Injection
Original description
### Impact
In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication.
Only mitmproxy instances using the `proxyauth` option with LDAP are affected. This option is not enabled by default.
### Patches
The vulnerability has been fixed in mitmproxy 12.2.2 and above.
### Acknowledgements
We thank Yue (Knox) Liu (@yueyueL) for responsibly disclosing this vulnerability to the mitmproxy team.
### Timeline
- **2025-12-08**: Received initial report.
- **2025-12-09**: Verified report and confirmed receipt.
- **2026-01-02**: Informed researcher that patch will be part of the next regular patch release.
- **2026-04-12**: Published patch release and advisory.
In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication.
Only mitmproxy instances using the `proxyauth` option with LDAP are affected. This option is not enabled by default.
### Patches
The vulnerability has been fixed in mitmproxy 12.2.2 and above.
### Acknowledgements
We thank Yue (Knox) Liu (@yueyueL) for responsibly disclosing this vulnerability to the mitmproxy team.
### Timeline
- **2025-12-08**: Received initial report.
- **2025-12-09**: Verified report and confirmed receipt.
- **2026-01-02**: Informed researcher that patch will be part of the next regular patch release.
- **2026-04-12**: Published patch release and advisory.
osv CVSS3.1
4.8
Vulnerability type
CWE-90
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026