Moderate severityNVD Advisory· Published Apr 15, 2025· Updated Apr 15, 2025
CVE-2025-32996
CVE-2025-32996
Description
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
http-proxy-middlewarenpm | >= 1.3.0, < 2.0.8 | 2.0.8 |
http-proxy-middlewarenpm | >= 3.0.0, < 3.0.4 | 3.0.4 |
Affected products
1- Range: 0
Patches
1020976044d11fix(fixRequestBody): prevent multiple .write() calls (#1089)
2 files changed · +25 −8
src/handlers/fix-request-body.ts+10 −8 modified@@ -17,21 +17,23 @@ export function fixRequestBody<TReq = http.IncomingMessage>( } const contentType = proxyReq.getHeader('Content-Type') as string; + + if (!contentType) { + return; + } + const writeBody = (bodyData: string) => { - // deepcode ignore ContentLengthInCode: bodyParser fix proxyReq.setHeader('Content-Length', Buffer.byteLength(bodyData)); proxyReq.write(bodyData); }; - if (contentType && (contentType.includes('application/json') || contentType.includes('+json'))) { + // Use if-elseif to prevent multiple writeBody/setHeader calls: + // Error: "Cannot set headers after they are sent to the client" + if (contentType.includes('application/json') || contentType.includes('+json')) { writeBody(JSON.stringify(requestBody)); - } - - if (contentType && contentType.includes('application/x-www-form-urlencoded')) { + } else if (contentType.includes('application/x-www-form-urlencoded')) { writeBody(querystring.stringify(requestBody)); - } - - if (contentType && contentType.includes('multipart/form-data')) { + } else if (contentType.includes('multipart/form-data')) { writeBody(handlerFormDataBodyData(contentType, requestBody)); } }
test/unit/fix-request-body.spec.ts+15 −0 modified@@ -154,4 +154,19 @@ describe('fixRequestBody', () => { expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody); }); + + it('should parse json and call write() once with incorrect content-type application/x-www-form-urlencoded+json', () => { + const proxyRequest = fakeProxyRequest(); + proxyRequest.setHeader('content-type', 'application/x-www-form-urlencoded+json'); + + jest.spyOn(proxyRequest, 'setHeader'); + jest.spyOn(proxyRequest, 'write'); + + fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' })); + + const expectedBody = JSON.stringify({ someField: 'some value' }); + expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); + expect(proxyRequest.write).toHaveBeenCalledTimes(1); + expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody); + }); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4www-5p9h-95mhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32996ghsaADVISORY
- github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145ghsaWEB
- github.com/chimurai/http-proxy-middleware/pull/1089ghsaWEB
- github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8ghsaWEB
- github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4ghsaWEB
News mentions
0No linked articles in our index yet.