GHSA-7vwr-g6pm-9hc8: 
Python vulnerability analysis and mitigation

A high-severity security vulnerability (GHSA-7vwr-g6pm-9hc8) was discovered in fastapi-proxy-lib affecting versions < 0.1.0. The vulnerability was disclosed and published on December 1, 2023, impacting the Python package fastapi-proxy-lib distributed via pip. This security issue involves cookie leakage between different users due to shared client instances (GitHub Advisory).

The vulnerability stems from an implementation flaw where requests from different user clients are processed using a shared httpx.AsyncClient instance. The AsyncClient persistently stores cookies based on the set-cookie response header from the target server and inadvertently shares these cookies across different user requests. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability results in a significant privacy breach where cookies, potentially containing sensitive session information, are leaked between different users sharing the same httpx.AsyncClient instance. This could lead to unauthorized access to user sessions and compromise of confidential information (GitHub Advisory).

The vulnerability has been patched in version 0.1.0 of fastapi-proxy-lib. For users who must remain on version 0.0.1, temporary workarounds include avoiding the use of ForwardHttpProxy entirely and not using ReverseHttpProxy or ReverseWebSocketProxy for any servers that might send set-cookie responses. However, upgrading to the latest version is strongly recommended as the best mitigation strategy (GitHub Advisory).