CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added yesterday•14 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS

ATTACKERKB•added yesterday•2 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS5.9AI score

CVE•added yesterday•17 views

CVE-2026-55602

CVE-2026-55602 affects http-proxy-middleware where host+path router keys use unanchored substring matching, enabling Host header-based routing bypass. From 0.16.0 through 2.0.10, 3.0.6, and 4.1.0 only, a crafted Host header that forms a superstring with a configured host+path key can route to an ...

6.9CVSS5.9AI score

Snyk•added 5 days ago•4 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the fixRequestBody function. An attacker can inject or override multipart form fields, potentially bypassing gateway-side validation or access controls, by supplying crafted input containing carriage return and line...

7.5CVSS5.9AI score

Patchstack•added 5 days ago•3 views

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 3.0.4, 3.0.7...

7.5CVSS5.8AI score

OSV•added 5 days ago•2 views

GHSA-64MM-VXMG-Q3VJ http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

Summary http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configur...

6.9CVSS5.6AI score

Snyk•added 5 days ago•4 views

Partial String Comparison

Overview Affected versions of this package are vulnerable to Partial String Comparison via the router component. An attacker can route requests to unintended backend servers by sending crafted HTTP requests with manipulated Host headers. Remediation Upgrade http-proxy-middleware to version 2.0.10...

6.9CVSS5.9AI score

Patchstack•added 5 days ago•3 views

NPM: http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

NPM: http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 0.16.0, 3.0.6...

6.9CVSS5.8AI score

Github Security Blog•added 5 days ago•11 views

http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

6.9CVSS5.6AI score

Circl•added 6 days ago•6 views

CVE-2026-55603

creationtimestamp| type| source ---|---|--- 2026-06-17 17:17:39+00:00| published-proof-of-concept| https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm 2026-06-23 09:03:07+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mox25jonrk2t...

7.5CVSS5.8AI score

Circl•added 6 days ago•6 views

CVE-2026-55602

creationtimestamp| type| source ---|---|--- 2026-06-17 17:17:28+00:00| published-proof-of-concept| https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj...

6.9CVSS5AI score

IBM Security Bulletins•added 2025/12/04 2:9 p.m.•6 views

Security Bulletin: IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997.

Summary IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-32996 DESCRIPTION: In http-proxy-middleware before 2.0.8 and 3.x before...

5.3CVSS6.7AI score0.0039EPSS

Exploits0Affected Software1

EUVD•added 2025/10/03 8:7 p.m.•6 views

EUVD-2025-11355

Malicious code in bioql PyPI...

4CVSS6.3AI score0.0039EPSS

Exploits0References6

EUVD•added 2025/10/03 8:7 p.m.•5 views

EUVD-2025-11356

Malicious code in bioql PyPI...

4CVSS6.3AI score0.00385EPSS

Exploits0References6

EUVD•added 2025/10/03 8:7 p.m.•5 views

EUVD-2024-3014

Malicious code in bioql PyPI...

7.5CVSS8.5AI score0.01009EPSS

Exploits1References6

IBM Security Bulletins•added 2025/09/22 1:19 p.m.•6 views

Security Bulletin: Vulnerability in http-proxy-middleware affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerabilities in http-proxy-middleware has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional...

5.3CVSS6.7AI score0.0039EPSS

Exploits0Affected Software2

Tenable Nessus•added 2025/09/14 12:0 a.m.•7 views

Linux Distros Unpatched Vulnerability : CVE-2025-32997

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed. CVE-2025-32997 Note that Nessus relies on the...

5.3CVSS6.4AI score0.0039EPSS