Jump to solution
Verify

httpx Some URL can make httpx use URL with wrong info (Fix)

Fixed
Spec
Package
httpx
Fixed In
0.23.0
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.65
#2184 ai security Idempotency Violation Updated: 2026-02-13
Issue #2184

The Fix

Upgrade to version 0.23.0 or later.

Based on closed encode/httpx issue #2184 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## 0.23.0 (23rd May, 2022) + +### Changed
repro.py
user_input_from_http_request = 'http://x@//internal-proxy:8082/' u = httpx.URL(user_input_from_http_request) assert u.host.lower() != 'internal-proxy' # httpx.Proxy(u).url.netloc == b'internal-proxy:8082' resp = httpx.Client(proxies=u).get('http://localhost/secret') # will request via http proxy at internal-proxy:8082
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.23.0 or later.\nWhen NOT to use: Do not use this fix if the URL parsing behavior is intentionally relied upon.\n\n

Why This Fix Works in Production

  • Trigger: assert u.host.lower() != 'admin-dashboard'
  • Mechanism: The `copy_with` method improperly parses URLs, leading to unintended changes
  • Why the fix works: Patches the `copy_with` method to prevent unintended changes to URLs, addressing the issue of improper URL parsing that could lead to security vulnerabilities. (first fixed release: 0.23.0).
Production impact:
  • If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

  • The `copy_with` method improperly parses URLs, leading to unintended changes
  • Production symptom (often without a traceback): assert u.host.lower() != 'admin-dashboard'

Proof / Evidence

  • GitHub issue: #2184
  • Fix PR: https://github.com/encode/httpx/pull/2214
  • First fixed release: 0.23.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.75
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.65

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“A stable version with this fix has not been released yet, this can't be closed.”
@erdnaxeli · 2022-05-17 · confirmation · source
“👋 When is the next release scheduled? Would love to pick up https://github.com/encode/httpx/pull/2185, since it addresses CVE-2021-41945 🙏”
@dashk · 2022-05-07 · source
“PR https://github.com/encode/httpx/pull/2185 has been merged, can this be closed?”
@hugovk · 2022-05-16 · confirmation · source
“Release pull request... https://github.com/encode/httpx/pull/2214”
@lovelydinosaur · 2022-05-09 · source

Failure Signature (Search String)

  • assert u.host.lower() != 'admin-dashboard'
  • print(resp.text) # sensitive data leak
Copy-friendly signature
signature.txt
Failure Signature ----------------- assert u.host.lower() != 'admin-dashboard' print(resp.text) # sensitive data leak

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- assert u.host.lower() != 'admin-dashboard' print(resp.text) # sensitive data leak

Minimal Reproduction

repro.py
user_input_from_http_request = 'http://x@//internal-proxy:8082/' u = httpx.URL(user_input_from_http_request) assert u.host.lower() != 'internal-proxy' # httpx.Proxy(u).url.netloc == b'internal-proxy:8082' resp = httpx.Client(proxies=u).get('http://localhost/secret') # will request via http proxy at internal-proxy:8082

What Broke

This issue can lead to sensitive data leaks via SSRF attacks.

Why It Broke

The `copy_with` method improperly parses URLs, leading to unintended changes

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 0.23.0 or later.

When NOT to use: Do not use this fix if the URL parsing behavior is intentionally relied upon.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/encode/httpx/pull/2214

First fixed release: 0.23.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if the URL parsing behavior is intentionally relied upon.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.

Version Compatibility Table

VersionStatus
0.23.0 Fixed

Related Issues

No related fixes found.

Cluster: httpx:data-consistency All hubs All clusters
Related clusters: Configuration error Other Timeout

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #2184. Not affiliated with the library maintainers. Verify before production use.