Description
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Recommendation
Update the http-proxy-middleware package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.0.3 < 2.0.7** Patched version(s): **3.0.3 2.0.7**
References
Related Issues
- static-server Path Traversal vulnerability - CVE-2023-26152
- chromedriver Downloads Resources over HTTP - CVE-2016-10579
- http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed - CVE-2025-32997
- http-proxy-middleware can call writeBody twice because "else if" is not used - CVE-2025-32996
- Tags:
- npm
- http-proxy-middleware
Anything's wrong? Let us know Last updated on October 22, 2024