HTTP Proxy Middleware
by Chimurai
Source repositories
CVEs (3)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-32997 | Med | 0.19 | 4.0 | 0.00 | Apr 15, 2025 | In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed. | ||
| CVE-2025-32996 | Med | 0.19 | 4.0 | 0.00 | Apr 15, 2025 | In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used. | ||
| CVE-2026-55602 | 0.00 | — | 0.00 | Jun 18, 2026 | # Summary `http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a… |
- risk 0.19cvss 4.0epss 0.00
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
- risk 0.19cvss 4.0epss 0.00
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
- CVE-2026-55602Jun 18, 2026risk 0.00cvss —epss 0.00
# Summary `http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a…