CVE-2021-41945: 
Python vulnerability analysis and mitigation

Encode OSS httpx < 0.23.0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copy_with. The vulnerability was discovered in 2021 and publicly disclosed on April 28, 2022 (NVD, MITRE).

The vulnerability stems from improper implementation of httpx.URL().copywith method, which can lead to incorrect URL parsing. When copywith parses self.urireference.copy_with(**kwargs).unsplit() before returning the new URL, the new URL string returned by unsplit may make unintended changes to the URL. This vulnerability is categorized as CWE-20 (Improper Input Validation) with a CVSS v3.1 Base Score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) (NVD).

The vulnerability could allow attackers to bypass URL blacklists and potentially perform Server-Side Request Forgery (SSRF) attacks. For example, maliciously crafted URLs could make httpx.Client and httpx.Proxy implicitly parse wrong URLs, leading to unauthorized access to internal resources or sensitive data leakage (GitHub POC).

The vulnerability was fixed in httpx version 0.23.0. The fix involves modifying the URL.copy_with implementation to properly handle URL parsing. Users are strongly recommended to upgrade to version 0.23.0 or later to address this security issue (Release Notes).

The vulnerability was initially reported privately through GitHub Discussions and later tracked publicly. The maintainers acknowledged the issue and worked with the reporter to develop and implement a fix. The security community recognized this as a significant security issue, leading to its inclusion in GitHub's advisory database and Dependabot dependency scanning (GitHub Discussion).