Chimurai: >> Http-Proxy-Middleware >> 2.0.7 Security Vulnerabilities
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
CVSS Score
6.9
EPSS Score
0.003
Published
2026-06-22
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
CVSS Score
4.0
EPSS Score
0.004
Published
2025-04-15
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
CVSS Score
4.0
EPSS Score
0.004
Published
2025-04-15