GHSA-GGXF-37HM-9WQF: Session Leakage via Unsafe Challenge Path Parsing in instagrapi

The instagrapi library is a Python package designed for interacting with the Instagram API, frequently used for automation and data extraction. During normal authentication and operational flows, the Instagram API occasionally issues "challenges" to the client, such as Captcha or SMS verification prompts. These challenges mandate the client to navigate to specific internal API endpoints to resolve the security check.

The library processes these challenges by extracting routing information from the API response, specifically utilizing the api_path or navigation.forward fields. Vulnerable versions of the software construct the subsequent HTTP request URL by directly concatenating these fields with the base Instagram API URL. The implementation lacks sufficient input validation to ensure the provided paths are strictly relative to the intended endpoint.

Because the underlying HTTP client (requests) strictly adheres to URI parsing specifications, a maliciously formatted path can fundamentally alter the intended destination of the request. This flaw is classified under CWE-20 (Improper Input Validation) and closely mirrors the mechanics of CWE-918 (Server-Side Request Forgery) and CWE-601 (Open Redirect). The primary consequence is the unintended transmission of valid session data to unauthorized external servers.

The vulnerability stems from the usage of simple string concatenation to generate complete URLs from partial path parameters. The library code builds the target URL using a formatting operation akin to "https://i.instagram.com/api/v1%s" % data["api_path"]. This approach implicitly trusts that the server-supplied api_path represents a standard relative URI path.

According to RFC 3986, which governs Uniform Resource Identifier (URI) syntax, the authority component of a URI can include optional user information preceding the host, delimited by an @ symbol. If an injected api_path begins with @attacker.example/steal, the concatenated URL becomes https://i.instagram.com@attacker.example/steal. Standard HTTP parsing libraries interpret i.instagram.com as the user-info component and attacker.example as the target host.

Alternatively, if the injected path begins with //, the URL structure takes on a protocol-relative format or modifies the parsed path hierarchy depending on the insertion point. The requests library automatically resolves these parsed components and dispatches the HTTP request to the designated host (attacker.example). Because this request is part of an ongoing session context, the client automatically attaches all active session cookies and authentication headers to the outbound request.

The flaw resided primarily within the instagrapi/mixins/signup.py module. The original code failed to sanitize the api_path string before appending it to the base Instagram URL string. To remediate this, the developers introduced a robust validation wrapper in Pull Request #2516 (Commit c442a0c283527db60da710cdcd66f0876ef32552).

The fix implements a new static method, _safe_challenge_api_path, which strictly validates the structural integrity of the supplied path:

@staticmethod
def _safe_challenge_api_path(api_path: str, field_name: str = "api_path") -> str:
    if not isinstance(api_path, str) or not api_path:
        raise ClientError(f"Malformed challenge data from Instagram (missing {field_name}).")
    parts = urlsplit(api_path)
    has_control_chars = any(ord(char) < 32 or ord(char) == 127 for char in api_path)
    if (
        parts.scheme
        or parts.netloc
        or not api_path.startswith("/")
        or api_path.startswith("//")
        or "\\" in api_path
        or has_control_chars
    ):
        raise ClientError(f"Unsafe challenge path from Instagram: {field_name}")
    return api_path

This function utilizes urllib.parse.urlsplit to ensure the path contains neither a scheme (e.g., http) nor a netloc (e.g., example.com). It mandates that the string must begin with exactly one forward slash, explicitly rejecting // patterns that bypass netloc parsing. Furthermore, it denies the presence of backslashes and non-printable control characters, addressing alternative parsing edge cases that could cause divergence between validation logic and the underlying HTTP client's behavior.

Exploiting this vulnerability requires the attacker to manipulate the data stream between the instagrapi client and the legitimate Instagram API servers. This prerequisite aligns with the CVSS Attack Vector classification of Adjacent Network (AV:A). The attacker must achieve a privileged network position, typically operating a malicious proxy, intercepting corporate network traffic, or executing a Man-in-the-Middle (MitM) attack.

Once positioned, the attacker monitors outbound API requests initiating a login or signup sequence. When the Instagram API responds with a challenge payload, the attacker intercepts the HTTP response payload. They locate the JSON fields governing challenge navigation, specifically modifying the api_path or navigation.forward key to a payload such as @evil.corp/capture_endpoint.

The compromised response is forwarded to the instagrapi client. The client parses the JSON, extracts the malicious path, concatenates it, and executes the subsequent request. The attacker merely needs to monitor their external server (evil.corp) for incoming HTTP connections. These incoming requests will contain the full set of operational HTTP headers, yielding immediate access to the victim's authentication material.

The primary consequence of successful exploitation is the complete compromise of the application's Instagram session. By capturing the HTTP headers transmitted in the misguided request, the attacker obtains the authorization cookies and active session tokens associated with the client.

With these tokens, the attacker can impersonate the victim account, executing unauthorized actions via the Instagram API. This includes accessing private messages, modifying account settings, posting content, or extracting sensitive personal information. The impact strictly affects the confidentiality of the session data, reflected in the High Confidentiality (C:H) metric of the CVSS v3.1 vector.

The vulnerability does not allow direct execution of arbitrary code on the host running the instagrapi client, nor does it affect the availability or integrity of the host operating system. The scope remains unchanged (S:U) as the breach pertains entirely to the application's authorization state rather than the underlying infrastructure.

Organizations and developers utilizing the instagrapi library must update the package to version 2.6.9 or later. This release incorporates the _safe_challenge_api_path validation checks, preventing the arbitrary routing of challenge responses to external network locations.

For environments where an immediate software update is structurally impossible, mitigation strategies are limited due to the inherent nature of the library's internal routing mechanisms. Network-level egress filtering can provide a temporary defense-in-depth measure. Restricting the outbound connectivity of the host application exclusively to documented Instagram API domains and subdomains ensures that even if the URL is manipulated, the outbound request to the attacker's server will be dropped by the firewall.

Security engineers should review deployment architectures to minimize the risk of adjacent network interception. Ensuring TLS certificate validation is strictly enforced on all network boundaries and proxy services reduces the likelihood of an attacker successfully injecting malicious payloads into the encrypted API communication stream.