CVE-2022-24737

MEDIUM

httpie < 3.1.0 - Exposure of Sensitive Information via Session Cookie Handling

Title source: llm
STIX 2.1

Description

HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/httpie/httpie/releases/tag/3.1.0

Scores

CVSS v3 6.5
EPSS 0.0163
EPSS Percentile 73.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (5)
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
httpie/httpie < 3.1.0
pypi/httpie 0 - 3.1.0PyPI
Published Mar 07, 2022
Tracked Since Feb 18, 2026