PyPI removes 'mitmproxy2' over code execution concerns

2021-10-12 17:50

The PyPI repository has removed a Python package called 'mitmproxy2' that was an identical copy of the official "Mitmproxy" library, but with an "Artificially introduced" code execution vulnerability.

Yesterday, Maximilian Hils, who is one of the developers behind the 'mitmproxy' Python library drew everyone's attention towards a counterfeit 'mitmproxy2' package uploaded to PyPI. 'mitmproxy2' is essentially "The same as regular mitmproxy but with an artificial RCE vulnerability included."

"Hils' main concern, as he describes to BleepingComputer, was that some software developers might mistake 'mitmproxy2' as a newer version" of 'mitmproxy' and inadvertently introduce insecure code in their apps.

"The problem is of course if you upload that to PyPI as 'mitmproxy2' with a version number that indicates it's newer/a successor, people will inevitably download that not knowing about the changes."

While analyzing 'mitmproxy2', BleepingComputer discovered another package 'mitmproxy-iframe' had appeared on the PyPI registry, less than a day after 'mitmproxy2' was removed.

BleepingComputer notified PyPI of the 'mitmproxy-iframe' package prior to publishing and the package was taken down.

News URL

https://www.bleepingcomputer.com/news/security/pypi-removes-mitmproxy2-over-code-execution-concerns/

#codeexecution

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Pypi		14	0	0	14	0	14