* CVE-2025-23217: mitmweb's API now requires an authentication token by
default. The mitmweb API is bound to localhost only, but @gronke found
that an attacker can circumvent that restriction by tunneling requests
through the proxy server itself in an SSRF-style attack.
(fa89055, @mhils) (bsc#1236890)
* Add (optional) password protection for mitmweb. The web_password option
replaces the randomly-generated token authentication with a fixed secret
that survives mitmproxy restarts. (0bd573a, @mhils)
* mitmweb can now be hosted under arbitrary domains, the previously-used
DNS rebind protection is not required anymore. (62693af, @mhils)
* Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly;
SameSite=Strict. (#7491, @mhils)
* Fix console freezing due to DNS queries with an empty question
section. (#7497, @sujaldev)
* Fixed a bug that caused mitmproxy to crash when loading prior knowledge
h2 flows. (#7514, @sujaldev)
* Fix a bug where mitmproxy would get stuck in secure web proxy mode when
using ignore_hosts or allow_hosts. (#7519, @mhils)
* Copy request/response data to the clipboard in mitmweb (#7352, @lups2000)
* Fix a bug where exporting a curl or httpie command with escaped
characters would lead to different data being sent.
(#7520, @proteusvacuum)
* Local Capture Mode is now available on Linux as well. (#7440, @mhils)
* mitmproxy now requires Python 3.12 or above. (#7440, @mhils)
* Add cache-busting for mitmweb's front end code. (#7386, @mhils)
* Clicking the URL in mitmweb now places the cursor at the current
position instead of selecting the entire URL. (#7385, @lups2000)
* Add missing status codes (#7455, @jwadolowski)
* All filter expressions are now case-insensitive by default. Users can
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=24
- Update to version 11.0.0:
* mitmproxy now supports transparent HTTP/3 proxying.
* Add HTTP3 support in HTTPS reverse-proxy mode.
* mitmproxy now officially supports Python 3.13.
* Tighten HTTP detection heuristic to better support custom
TCP-based protocols.
* Add show_ignored_hosts option to display ignored flows in the
UI. This option is implemented as a temporary workaround and
will be removed in the future.
* Fix slow tnetstring parsing in case of very large tnetstring.
* Add getaddrinfo-based fallback for DNS resolution if we are
unable to determine the operating system's name servers.
* Improve the error message when users specify the certs option
without a matching private key.
* Fix a bug where intermediate certificates would not be
transmitted when using QUIC.
* Fix a bug where fragmented QUIC client hellos were not handled
properly.
* Emit a warning when users configure a TLS version that is not
supported by the current OpenSSL build.
* Fix a bug where mitmproxy would crash when receiving
STOP_SENDING QUIC frames.
* Fix error when unmarking all flows.
* Add addon to update the alt-svc header in reverse mode.
* Do not send unnecessary empty data frames when streaming
HTTP/2.
* Fix of measurement unit in HAR import, duration is in
milliseconds.
* Connection.tls_version now is QUICv1 instead of QUIC for QUIC.
* Add support for full mTLS with client certs between client and
mitmproxy.
* Update documentation adding a list of all possibile
web_columns.
- Updates from version 10.4.2:
* Fix a crash on startup when mitmproxy is unable to determine
the OS' DNS servers
- Updates from version 10.4.1:
* Fix a bug where macOS local mode would not start up on macOS.
* Fix UDP error handling when we learn that the remote has
disconnected.
- Updates from version 10.4.0:
* Add support for DNS over TCP.
* Add first MVP new Capture Tab in mitmweb
* Add HttpConnectedHook and HttpConnectErrorHook.
* Fix non-linear growth in processing time for large HTTP bodies.
* Fix a bug where connections would be incorrectly ignored with
allow_hosts.
* Fix zstd decompression to read across frames.
* Handle certificates we cannot parse more gracefully.
* Parse compressed domain names in ResourceRecord data.
* Fix a bug where mitmweb's flow list would not stay at the
bottom.
* Fix a bug where SSH connections would be incorrectly handled as
HTTP.
* Skip UTF-8 byte-order marks (BOM) when loading HAR files.
* Allow typing.Sequence[str] to be an editable option.
* Add Host header to CONNECT requests.
* Support all query types in DNS mode.
* Fix a bug where mitmproxy would crash for pipelined HTTP flows.
* Add an optional "index" column for mitmweb.
- Updates from version 10.3.1:
* Release tags are now prefixed with v again.
* Fix a bug where mitmproxy would not exit when -n is passed.
* Set the unbuffered (stdout/stderr) flag for the mitmdump
PyInstaller build.
* Fix a bug where client replay would not work with proxyauth.
* Fix slowdown when sending large amounts of data over HTTP/2.
* Add an option to strip HTTPS records from DNS responses to
block encrypted ClientHellos.
* Add an API to parse HTTPS records from DNS RDATA.
* Releases now come with a Sigstore attestations file to
demonstrate build provenance.
- Updates from version 10.3.0:
* Add support for editing non text files in a hex editor
* Add server_connect_error hook that is triggered when connection
establishment fails.
* Add section in mitmweb for rendering, adding and removing a
comment
* Fix multipart form content view being unusable.
* Documentation Improvements on CA Certificate Generation
* Make it possible to read flows from stdin with mitmweb.
* Update aioquic dependency to >= 1.0.0, < 2.0.0.
* Fix a bug where async client_connected handlers would crash
mitmproxy.
* Add button to close flow details panel
* Ignore SIGPIPE signals when there is lots of traffic. Socket
errors are handled directly and do not require extra signals
that generate noise.
* Add primitive websocket interception and modification
* Add support for exporting websocket messages when using "raw"
export.
* The "save body" feature now also includes WebSocket messages.
* Fix compatibility with older cryptography versions and silence
a DeprecationWarning on Python <3.11.
* Fix a bug when proxying unicode domains.
- Updates from version 10.2.4:
* Fix a bug where errors during startup would not be displayed
when running mitmproxy.
* Use newer cryptography APIs to avoid
CryptographyDeprecationWarnings. This bumps the minimum
required version to cryptography 42.0.
- Updates from version 10.2.3:
* Fix a regression where allow_hosts/ignore_hosts would break
with IPv6 connections.
* Fix bug where failed CONNECT request URLs are saved to HAR
files incorrectly.
* Add an arm64 variant for the precompiled macOS app.
* Fix duplicate answers being returned in DNS queries.
* Fix bug where wireguard config is generated with incorrect
endpoint when two or more NICs are active.
* Fix a regression when leaf cert creation would fail with
intermediate CAs in ca_file.
* Add content_view_lines_cutoff option to mitmdump
* Allow runtime modifications of HTTP flow filters for server
replays
* Fix bug view options menu in case of overflow
* Allow --allow-hosts and --ignore-hosts to work together
OBS-URL: https://build.opensuse.org/request/show/1208752
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=22
- Update to version 10.2.2:
* The onboarding_port option has been removed. The onboarding app now
responds to all requests for the hostname specified in onboarding_host.
* connection.Client and connection.Server now accept keyword arguments
only. This is a breaking change for custom addons that use these classes
directly.
* Add experimental support for HTTP/3 and QUIC.
* ASGI/WSGI apps can now listen on all ports for a specific hostname.
* Add replay.server.add command for adding flows to server replay buffer.
* Remove string escaping in raw view.
* mitmproxy now requires Python 3.10 or above.
* Add support for reading and writing HAR files.
* UDP streams are now backed by a new implementation in mitmproxy_rs.
* ignore_hosts now waits for the entire HTTP headers if it suspects the
connection to be HTTP.
OBS-URL: https://build.opensuse.org/request/show/1152312
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=20
- Update to version 9.0.1:
- The precompiled binaries now ship with OpenSSL 3.0.7, which resolves
CVE-2022-3602 and CVE-2022-3786.
- Performance and stability improvements for WireGuard mode. (#5694, @mhils,
@decathorpe)
- Fix a bug where the standalone Linux binaries would require libffi to be
installed. (#5699, @mhils)
- Hard exit when mitmproxy cannot write logs, fixes endless loop when parent
process exits. (#4669, @Prinzhorn)
- Fix a permission error affecting the Docker images. (#5700, @mhils)
- 9.0.0
# Major Features
- Add Raw UDP support. (#5414, @meitinger)
- Add WireGuard mode to enable transparent proxying via WireGuard. (#5562,
@decathorpe, @mhils)
- Add DTLS support. (#5397, @kckeiks).
- Add a quick help bar to mitmproxy. (#5381, #5652, @kckeiks, @mhils).
# Deprecations
- Deprecate add_log event hook. Users should use the builtin logging module
instead. See the docs for details and upgrade instructions. (#5590, @mhils)
- Deprecate mitmproxy.ctx.log in favor of Python's builtin logging module.
See the docs for details and upgrade instructions. (#5590, @mhils)
# Breaking Changes
- The mode option is now a list of server specs instead of a single spec. The
CLI interface is unaffected, but users may need to update their
config.yaml. (#5393, @mhils)
# Full Changelog
- Mitmproxy binaries now ship with Python 3.11. (#5678, @mhils)
- One mitmproxy instance can now spawn multiple proxy servers. (#5393,
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=14
* Support specifying the local address for outgoing connections (#5364,
@meitinger)
* Fix a bug where an excess empty chunk has been sent for chunked HEAD
request. (#5372, @jixunmoe)
* Drop pkg_resources dependency. (#5401, @PavelICS)
* Fix huge (>65kb) http2 responses corrupted. (#5428, @dhabensky)
* Remove overambitious assertions in the HTTP state machine, fix some error
handling. (#5383, @mhils)
* Use default_factory for parser_options. (#5474, @rathann)
- mitmproxy 8.1.0
* DNS support (#5232, @meitinger)
* Mitmproxy now requires Python 3.9 or above. (#5233, @mhils)
* Fix a memory leak in mitmdump where flows were kept in memory. (#4786,
@mhils)
* Replayed flows retain their current position in the flow list. (#5227,
@mhils)
* Periodically send HTTP/2 ping frames to keep connections alive. (#5046,
@EndUser509)
* Console Performance Improvements (#3427, @BkPHcgQL3V)
* Warn users if server side event responses are received without streaming.
(#4469, @mhils)
* Add flatpak support to the browser addon (#5200, @pauloromeira)
* Add example addon to dump contents to files based on a filter expression
(#5190, @redraw)
* Fix a bug where the wrong SNI is sent to an upstream HTTPS proxy (#5109,
@mhils)
* Make sure that mitmproxy displays error messages on startup. (#5225,
@mhils)
* Add example addon for domain fronting. (#5217, @randomstuff)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=12
