Description
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Recommendation
Update the http-proxy-middleware package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.0.3 < 2.0.7** Patched version(s): **3.0.3 2.0.7**
References
Related Issues
- http-proxy-middleware can call writeBody twice because "else if" is not used - CVE-2025-32996
- http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed - CVE-2025-32997
- es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens` - CVE-2024-27088
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- Tags:
- npm
- http-proxy-middleware
Anything's wrong? Let us know Last updated on October 22, 2024