CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 25.9%

CVSS Severity

CVSS v3 Score 8.6

References

Products affected by CVE-2026-55602

Chimurai » Http-Proxy-Middleware » Version: 0.16.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.16.0
Chimurai » Http-Proxy-Middleware » Version: 0.17.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.17.0
Chimurai » Http-Proxy-Middleware » Version: 0.17.1

cpe:2.3:a:chimurai:http-proxy-middleware:0.17.1
Chimurai » Http-Proxy-Middleware » Version: 0.17.2

cpe:2.3:a:chimurai:http-proxy-middleware:0.17.2
Chimurai » Http-Proxy-Middleware » Version: 0.17.3

cpe:2.3:a:chimurai:http-proxy-middleware:0.17.3
Chimurai » Http-Proxy-Middleware » Version: 0.17.4

cpe:2.3:a:chimurai:http-proxy-middleware:0.17.4
Chimurai » Http-Proxy-Middleware » Version: 0.18.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.18.0
Chimurai » Http-Proxy-Middleware » Version: 0.19.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.19.0
Chimurai » Http-Proxy-Middleware » Version: 0.19.1

cpe:2.3:a:chimurai:http-proxy-middleware:0.19.1
Chimurai » Http-Proxy-Middleware » Version: 0.19.2

cpe:2.3:a:chimurai:http-proxy-middleware:0.19.2
Chimurai » Http-Proxy-Middleware » Version: 0.20.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.20.0
Chimurai » Http-Proxy-Middleware » Version: 0.21.0

cpe:2.3:a:chimurai:http-proxy-middleware:0.21.0
Chimurai » Http-Proxy-Middleware » Version: 1.0.0

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.0
Chimurai » Http-Proxy-Middleware » Version: 1.0.1

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.1
Chimurai » Http-Proxy-Middleware » Version: 1.0.2

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.2
Chimurai » Http-Proxy-Middleware » Version: 1.0.3

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.3
Chimurai » Http-Proxy-Middleware » Version: 1.0.4

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.4
Chimurai » Http-Proxy-Middleware » Version: 1.0.5

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.5
Chimurai » Http-Proxy-Middleware » Version: 1.0.6

cpe:2.3:a:chimurai:http-proxy-middleware:1.0.6
Chimurai » Http-Proxy-Middleware » Version: 1.1.0

cpe:2.3:a:chimurai:http-proxy-middleware:1.1.0
Chimurai » Http-Proxy-Middleware » Version: 1.1.1

cpe:2.3:a:chimurai:http-proxy-middleware:1.1.1
Chimurai » Http-Proxy-Middleware » Version: 1.1.2

cpe:2.3:a:chimurai:http-proxy-middleware:1.1.2
Chimurai » Http-Proxy-Middleware » Version: 1.2.0

cpe:2.3:a:chimurai:http-proxy-middleware:1.2.0
Chimurai » Http-Proxy-Middleware » Version: 1.2.1

cpe:2.3:a:chimurai:http-proxy-middleware:1.2.1
Chimurai » Http-Proxy-Middleware » Version: 1.3.0

cpe:2.3:a:chimurai:http-proxy-middleware:1.3.0
Chimurai » Http-Proxy-Middleware » Version: 1.3.1

cpe:2.3:a:chimurai:http-proxy-middleware:1.3.1
Chimurai » Http-Proxy-Middleware » Version: 2.0.0

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.0
Chimurai » Http-Proxy-Middleware » Version: 2.0.1

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.1
Chimurai » Http-Proxy-Middleware » Version: 2.0.2

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.2
Chimurai » Http-Proxy-Middleware » Version: 2.0.3

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.3
Chimurai » Http-Proxy-Middleware » Version: 2.0.4

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.4
Chimurai » Http-Proxy-Middleware » Version: 2.0.5

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.5
Chimurai » Http-Proxy-Middleware » Version: 2.0.6

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.6
Chimurai » Http-Proxy-Middleware » Version: 2.0.7

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.7
Chimurai » Http-Proxy-Middleware » Version: 2.0.8

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.8
Chimurai » Http-Proxy-Middleware » Version: 2.0.9

cpe:2.3:a:chimurai:http-proxy-middleware:2.0.9
Chimurai » Http-Proxy-Middleware » Version: 3.0.0

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.0
Chimurai » Http-Proxy-Middleware » Version: 3.0.1

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.1
Chimurai » Http-Proxy-Middleware » Version: 3.0.2

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.2
Chimurai » Http-Proxy-Middleware » Version: 3.0.3

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.3
Chimurai » Http-Proxy-Middleware » Version: 3.0.4

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.4
Chimurai » Http-Proxy-Middleware » Version: 3.0.5

cpe:2.3:a:chimurai:http-proxy-middleware:3.0.5
Chimurai » Http-Proxy-Middleware » Version: 4.0.0

cpe:2.3:a:chimurai:http-proxy-middleware:4.0.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-55602

Products

Pricing

Contact Us