Listen to this Post
The vulnerability exists in mitmproxy versions 12.2.1 and below when the built-in LDAP proxy authentication is enabled via the `proxyauth` option. The LDAP backend does not sanitize the username provided by the client before embedding it into the LDAP search filter query. A malicious client can inject special characters (e.g., “, `(` , ), \0) into the username field. Because the unsanitized input is concatenated directly into the LDAP filter string, an attacker can alter the logical structure of the filter. For example, injecting `)(uid=))` or using NULL bytes can truncate the filter, causing the LDAP query to return a successful match regardless of the actual credentials. The authentication logic then interprets any positive LDAP search result as a successful authentication, effectively bypassing password verification. This is a classic LDAP injection flaw. The attack requires that the mitmproxy instance uses `proxyauth` with an LDAP backend; this configuration is not enabled by default. No additional privileges are needed beyond the ability to send HTTP proxy requests to the affected mitmproxy instance. The issue does not affect local file-based authentication or other proxy authentication backends.
Platform: mitmproxy
Version: 12.2.1 below
Vulnerability: LDAP injection bypass
Severity: Medium
date: 2026-04-12
Prediction: 2026-04-12 (already patched)
What Undercode Say:
Simulate LDAP injection against mitmproxy 12.2.1 curl -x http://localhost:8080 --proxy-user 'admin)(uid=))(!(uid=':anything -U -v Check if LDAP proxy auth is enabled grep "proxyauth.ldap" ~/.mitmproxy/config.yaml
How Exploit:
- Identify mitmproxy instance with `proxyauth` pointing to LDAP.
- Send HTTP CONNECT request with username containing `)(uid=))(` and arbitrary password.
- Injected filter returns all LDAP entries; authentication succeeds.
Protection from this CVE:
- Upgrade to mitmproxy 12.2.2 or later.
- If upgrade impossible, sanitize username input: escape LDAP special characters
( ) \ NUL. - Disable LDAP proxy auth and use local authentication instead.
Impact:
- Unauthenticated clients can use the proxy as if authenticated.
- Full bypass of LDAP-based access control.
- Potential for unauthorized network interception and data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

