HTTPoxy attack

It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context.

A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.

CVSS score: 5.0 (CVSS v3).


  • Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
  • Reported by: Scott Geary (HTTPoxy)

Fixed In

Python issue

“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.

  • Python issue: bpo-27568
  • Creation date: 2016-07-18
  • Reporter: Rémi Rampin


The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.


Timeline using the disclosure date 2016-07-18 as reference:

  • 2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
  • 2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
  • 2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
  • 2016-12-17 (+152 days): Python 2.7.13 released
  • 2016-12-22: Python 3.6.0 released
  • 2017-01-16 (+182 days): Python 3.4.6 released
  • 2017-01-16 (+182 days): Python 3.5.3 released
  • 2017-09-19 (+428 days): Python 3.3.7 released
  • 2019-11-27 (+1227 days): CVE-2016-1000110 published