Alloyproxy15 Patched ⭐

AlloyProxy15 — a widely used open-source HTTP/HTTPS intercepting proxy library for penetration testing and API debugging — recently released a silent patch designated “AlloyProxy15 Patched” (commit f3a9b2c). This patch addresses a configuration injection vulnerability (CVE-2026-0147) that allowed malicious upstream proxies or local attackers to bypass TLS validation and request filtering rules. This paper details the vulnerability, the patched mechanism, and the implications for users.

The ReplayToken struct has been redesigned. It now includes an HMAC-SHA256 signature covering the entire token plus a per-request nonce. alloyproxy15 patched

// Patched struct (v2.1.4)
struct SecureReplayToken 
    session_id: Uuid,
    nonce: [u8; 32],
    timestamp: u64,
    signature: [u8; 32], // HMAC derived from a rotating ephemeral key

Deserialization now rejects any token where the signature mismatches, even before parsing session_id. This eliminates the unsafe exec_hook field entirely. Deserialization now rejects any token where the signature

Using a patched tool—especially one downloaded from an unofficial source—carries significant risks: the patched mechanism