CVE-2023-32681 Overview
CVE-2023-32681 is an information disclosure vulnerability in the Python Requests HTTP library that allows proxy credentials to leak to destination servers during HTTPS redirects. Since version 2.3.0, Requests has been unintentionally forwarding Proxy-Authorization headers to destination servers when a request is redirected to an HTTPS endpoint, potentially allowing malicious actors to exfiltrate sensitive proxy authentication credentials.
Critical Impact
Proxy authentication credentials can be leaked to destination servers, enabling potential credential theft and unauthorized access to proxy-protected resources.
Affected Products
- Python Requests versions 2.3.0 through 2.30.x
- Fedora Project Fedora 37
- Any application using vulnerable versions of the Python Requests library
Discovery Timeline
- 2023-05-26 - CVE-2023-32681 published to NVD
- 2023-05-26 - Python Software Foundation releases security patch in version 2.31.0
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-32681
Vulnerability Analysis
This vulnerability stems from how the Python Requests library handles the Proxy-Authorization header during HTTP redirects. The issue lies in the rebuild_proxies function within requests/sessions.py, which incorrectly reattaches proxy credentials to requests even when being redirected to HTTPS endpoints.
For standard HTTP connections through a proxy tunnel, the proxy server can intercept and strip the Proxy-Authorization header before forwarding the request to the destination. However, for HTTPS connections, the Proxy-Authorization header must be included in the initial CONNECT request because the proxy cannot inspect the encrypted tunnel. The vulnerability causes the library to also include these credentials in the subsequent tunneled HTTPS request, which the proxy cannot see or filter.
Root Cause
The root cause is improper conditional logic in the rebuild_proxies method that fails to distinguish between HTTP and HTTPS schemes when reattaching proxy authorization headers. The code unconditionally added the Proxy-Authorization header when username and password credentials were present, without checking whether the target URL scheme was HTTPS.
Attack Vector
An attacker can exploit this vulnerability by controlling or compromising a destination server that receives redirected HTTPS requests. The attack requires:
- A victim application using a vulnerable version of Requests configured with proxy authentication
- A malicious or compromised server that can trigger a redirect or is the target of a proxied HTTPS request
- Network positioning to receive the leaked credentials
When the victim application makes requests through an authenticated proxy and follows redirects to an HTTPS endpoint, the proxy credentials are forwarded to the destination server in plain text within the Proxy-Authorization header.
except KeyError:
username, password = None, None
- if username and password:
+ # urllib3 handles proxy authorization for us in the standard adapter.
+ # Avoid appending this to TLS tunneled requests where it may be leaked.
+ if not scheme.startswith('https') and username and password:
headers["Proxy-Authorization"] = _basic_auth_str(username, password)
return new_proxies
Source: GitHub Commit Update
Detection Methods for CVE-2023-32681
Indicators of Compromise
- Unexpected Proxy-Authorization headers appearing in server access logs for HTTPS endpoints
- Proxy credentials appearing in destination server request headers
- Anomalous authentication attempts using leaked proxy credentials
- Network traffic analysis showing proxy credentials in TLS-decrypted HTTPS requests
Detection Strategies
- Audit Python applications to identify use of Requests library versions 2.3.0 through 2.30.x
- Review server logs for requests containing Proxy-Authorization headers from unexpected sources
- Implement network monitoring to detect proxy credential leakage in outbound HTTPS traffic
- Use software composition analysis (SCA) tools to identify vulnerable Requests library dependencies
Monitoring Recommendations
- Enable verbose logging on proxy servers to track authorization header handling
- Monitor for unusual authentication patterns using proxy credentials from non-proxy IP addresses
- Implement alerts for proxy credential usage from unexpected geographic locations or IP ranges
- Review application dependencies regularly using automated vulnerability scanning tools
How to Mitigate CVE-2023-32681
Immediate Actions Required
- Upgrade Python Requests library to version 2.31.0 or later immediately
- Audit all applications and containers using Python Requests to identify vulnerable versions
- Rotate proxy credentials if there is any possibility they may have been exposed
- Review server logs for evidence of credential leakage prior to patching
Patch Information
The vulnerability has been patched in Python Requests version 2.31.0. The fix adds a conditional check to ensure Proxy-Authorization headers are not appended to HTTPS tunneled requests. The patch is available through the GitHub Release v2.31.0. Additional security details are available in the GitHub Security Advisory GHSA-j8r2-6x86-q33q.
Distribution-specific patches are also available:
Workarounds
- Avoid using proxy authentication for sensitive requests until patching is complete
- Implement network segmentation to limit exposure of proxy-authenticated traffic
- Use separate proxy credentials for different security zones to minimize impact of potential leakage
- Consider using environment-based proxy configuration without embedded credentials
# Upgrade Python Requests to patched version
pip install --upgrade requests>=2.31.0
# Verify installed version
pip show requests | grep Version
# For requirements.txt, update to:
# requests>=2.31.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
