GHSA-GGXF-37HM-9WQF: GHSA-GGXF-37HM-9WQF: Session Leakage via Unsafe Challenge Path Parsing in instagrapi

GHSA-GGXF-37HM-9WQF: Session Leakage via Unsafe Challenge Path Parsing in instagrapi

Vulnerability ID: GHSA-GGXF-37HM-9WQF
CVSS Score: 6.5
Published: 2026-05-23

The instagrapi library prior to version 2.6.9 contains an improper input validation vulnerability within its challenge handling mechanism. Maliciously crafted server responses can manipulate the client into forwarding session cookies and credentials to an external attacker-controlled domain.

TL;DR

Versions of instagrapi before 2.6.9 are vulnerable to a session leakage flaw where malformed API paths in challenge responses redirect authenticated requests to arbitrary external servers.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-20
• Attack Vector: Adjacent Network
• CVSS Score: 6.5
• Impact: Session Hijacking / Credential Leakage
• Exploit Status: Proof of Concept available
• Remediation: Update to version 2.6.9

Affected Systems

• instagrapi (PyPI package) versions < 2.6.9
• instagrapi: < 2.6.9 (Fixed in: 2.6.9)

Code Analysis

Commit: c442a0c

Fix unsafe signup challenge path handling

Exploit Details

• GitHub Fix PR (Unit Test): The patch PR includes unit tests demonstrating the payload '@attacker.example' resulting in redirection.

Mitigation Strategies

• Upgrade the instagrapi package to the patched version (2.6.9).
• Implement strict egress filtering to ensure outbound traffic from the application host is restricted to known, legitimate API domains.
• Enforce strict TLS validation to prevent Man-in-the-Middle tampering of API responses.

Remediation Steps:

1. Identify all projects and services utilizing the instagrapi library via dependency auditing tools.
2. Update the dependency mapping (e.g., requirements.txt, pyproject.toml) to specify instagrapi >= 2.6.9.
3. Execute automated test suites to verify that the upgrade does not introduce functional regressions.
4. Deploy the updated application build to production environments.

References

• GitHub Advisory: GHSA-ggxf-37hm-9wqf
• instagrapi Pull Request #2516
• Fix Commit c442a0c
• OSV Record

---

Read the full report for GHSA-GGXF-37HM-9WQF on our website for more details including interactive diagrams and full exploit analysis.