A critical CVE in python-urllib3 (openSUSE) leaks Authorization & Cookie headers via proxy redirects. Here’s how to check, patch, and mitigate — plus a ready‑to‑use automation script and essential resources for mastering binary security. Read the full guide.
originally published: May 26, 2026
But the techniques below will help you detect and fix this class of bug for years to come, on any Linux distribution.
What’s the problem?
An attacker who controls a redirect destination can capture your application’s Authorization, Cookie, and Proxy‑Authorization headers when your Python code uses urllib3 in a certain way.
The issue affects urllib3 versions 1.23 up to 2.6.x and has been assigned CVE‑2026‑44431 (severity: important).
It happens when you follow cross‑origin redirects through the low‑level API (for example, ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)). In that scenario, the headers that should have been stripped are still forwarded.
Real‑world impact:
Imagine your script talks to api.trusted.com via a proxy. The proxy returns a 302 redirect to evil.com. Your urllib3 client automatically follows the redirect – and sends the original Authorization: Bearer … header to evil.com. Now the attacker has your token.
How to check if you are vulnerable (actual commands for openSUSE)
First, find out which python-urllib3 package is installed and whether it contains the flawed version.
# Check installed version on openSUSE Leap 15.6 / SUSE Linux Enterprise zypper info python311-urllib3_1 | grep Version # Alternative: query the package directly rpm -q python311-urllib3_1
If the version is lower than 1.26.18‑150600.3.9.1 (for the openSUSE‑specific package) or upstream < 2.7.0, you are vulnerable.
To inspect the actual urllib3 library inside your Python environment:
python3 -c "import urllib3; print(urllib3.__version__)"
If the output is < 2.7.0 and you use proxies + low‑level redirects, your applications are at risk.
Automation script to apply the fix (for openSUSE)
Save this as patch_urllib3.sh and run it as root.
#!/bin/bash # patch_urllib3.sh – resolves CVE-2026-44431 on openSUSE Leap / SUSE Linux Enterprise set -e echo "🔍 Checking current urllib3 version..." zypper info python311-urllib3_1 | grep Version echo "📦 Installing the security update..." zypper --non-interactive patch --cve=CVE-2026-44431 # For openSUSE Leap 15.6, the specific patch ID is SUSE-2026-2067=1 # Uncomment the line below if the generic patch command does not work: # zypper --non-interactive in -t patch SUSE-2026-2067=1 echo "✅ Verifying installed version..." rpm -q python311-urllib3_1 echo "🔁 Restart any long‑running Python services that use urllib3 (example: systemctl restart myapp)"
Make it executable and run it:
chmod +x patch_urllib3.sh sudo ./patch_urllib3.sh
Why this script matters:
It solves this specific CVE. To learn how to build your own detection and patching tools for any future vulnerability, invest in Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly and Practical Malware Analysis:
The Hands‑On Guide to Dissecting Malicious Software.
A patch fixes the hole – but attackers don’t just send malformed IPs. They deliver malware that exploits the flaw, persists, and phones home. Those books teach you to dissect the malware itself, not just chase patches.
Pratical Binary Analysis (adversiting -> https://amzn.to/4vh0Kmw
Pratical Malware Analysis (adversiting) -> https://amzn.to/4o0gYhu
I earn a comission with you nmake a purchase.
Automation script to apply the fix (for openSUSE)
Save this as patch_urllib3.sh and run it as root.
#!/bin/bash # patch_urllib3.sh – resolves CVE-2026-44431 on openSUSE Leap / SUSE Linux Enterprise set -e echo "🔍 Checking current urllib3 version..." zypper info python311-urllib3_1 | grep Version echo "📦 Installing the security update..." zypper --non-interactive patch --cve=CVE-2026-44431 # For openSUSE Leap 15.6, the specific patch ID is SUSE-2026-2067=1 # Uncomment the line below if the generic patch command does not work: # zypper --non-interactive in -t patch SUSE-2026-2067=1 echo "✅ Verifying installed version..." rpm -q python311-urllib3_1 echo "🔁 Restart any long‑running Python services that use urllib3 (example: systemctl restart myapp)"
Make it executable and run it:
chmod +x patch_urllib3.sh sudo ./patch_urllib3.sh
Alternative mitigation if you can’t update now
If you cannot upgrade urllib3 immediately, use one of these workarounds:
1. Code‑level changes (most reliable)
Switch to the high‑level API (ProxyManager.request()) instead of the low‑level urlopen() with assert_same_host=False.
Disable automatic redirects and handle them manually: redirects=False when sending the request, then inspect the Location header and decide whether to forward sensitive headers.
2. Network‑level blocking with iptables
Block outbound HTTP/HTTPS traffic from the user or group that runs the vulnerable script, except to trusted destinations.
# Create a dedicated system user for the script useradd -r vulnerable_script_user # Allow traffic only to your proxy or specific IPs iptables -A OUTPUT -m owner --uid-owner vulnerable_script_user -d 10.0.0.1 -p tcp --dport 3128 -j ACCEPT iptables -A OUTPUT -m owner --uid-owner vulnerable_script_user -j LOG --log-prefix "BLOCKED_URLLIB3: " iptables -A OUTPUT -m owner --uid-owner vulnerable_script_user -j REJECT
3. Use an HTTP proxy that strips sensitive headers
Run a local transparent proxy (e.g., Squid or mitmproxy) that removes Authorization, Cookie, and Proxy‑Authorization from requests that cross domain boundaries. Then force the vulnerable script to use that proxy via the HTTP_PROXY environment variable.
Conclusion
You’ve just fixed one CVE. But next week, there will be another. And the week after, attackers won’t wait for a patch – they’ll ship malware that exploits the flaw and hides inside your systems.
Learn to dissect that malware. Grab Practical Malware Analysis and Practical Binary Analysis – because knowing how the exploit works is good, but knowing how the malware behaves is what makes you truly secure.
Patch today. Learn to hunt tomorrow.
Nenhum comentário:
Postar um comentário