Description
HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq
Patch, Third Party Advisory x_refsource_misc
https://github.com/httpie/httpie/commit/65ab7d5caaaf2f95e61f9dd65441801c2ddee38b
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/httpie/httpie/releases/tag/3.1.0
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXFCHGTW3V32GD6GXXJZE5QAOSDT3RTY/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QZD2AZOL7XLNZVAV6GDNXYU6MFRU5RS/
Scores
CVSS v3
6.5
EPSS
0.0060
EPSS Percentile
69.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (5)
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
httpie/httpie
< 3.1.0
pypi/httpie
0 - 3.1.0PyPI
Published
Mar 07, 2022
Tracked Since
Feb 18, 2026