Lucene search
K

70 matches found

RedhatCVE
RedhatCVE
added 2026/06/29 9:0 a.m.7 views

CVE-2026-55603

A flaw was found in http-proxy-middleware. A remote attacker could exploit a vulnerability in the fixRequestBody function, which is used to re-emit a request body. By injecting carriage return and line feed characters \r\n into a request body key or value, an attacker can bypass security policies...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/06/25 5:11 a.m.14 views

CVE-2026-55602

A flaw was found in http-proxy-middleware before 2.0.10, 3.0.6, and 4.1.0. Router proxy-table host+path matching uses unanchored substring comparison on the Host header, so a crafted Host value that superstring-matches a configured key can route requests to an unintended backend...

8.6CVSS5.8AI score0.0034EPSS
Exploits1References4
NVD
NVD
added 2026/06/22 9:16 p.m.13 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 8:7 p.m.5 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/22 8:7 p.m.27 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
CVE
CVE
added 2026/06/22 8:7 p.m.45 views

CVE-2026-55603

CVE-2026-55603 affects http-proxy-middleware (Node.js). In versions 3.0.4–3.0.7 and 4.1.1, fixRequestBody() rebuilds multipart/form-data by interpolating req.body into the wire format without neutralizing CR/LF. This can let an attacker inject a new multipart part (via unescaped CRLF in keys/valu...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/06/22 6:16 p.m.10 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

8.6CVSS0.0034EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 3:58 p.m.4 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS5.9AI score0.0034EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/22 3:58 p.m.76 views

CVE-2026-55602

The CVE-2026-55602 issue affects http-proxy-middleware (Node.js) versions 0.16.0 through 2.0.10, 3.0.6, and 4.1.0. The host+path router uses unanchored substring matching on attacker-controlled request metadata, enabling a crafted Host header that is a superstring match for a configured key to ro...

8.6CVSS5.9AI score0.0034EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 3:58 p.m.33 views

CVE-2026-55602 http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS0.0034EPSS
Exploits1References1
Snyk
Snyk
added 2026/06/18 1:6 p.m.7 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the fixRequestBody function. An attacker can inject or override multipart form fields, potentially bypassing gateway-side validation or access controls, by supplying crafted input containing carriage return and line...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References2
Patchstack
Patchstack
added 2026/06/18 1:6 p.m.21 views

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 3.0.4, 3.0.7...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References2Affected Software1
Patchstack
Patchstack
added 2026/06/18 1:6 p.m.4 views

NPM: http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

NPM: http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 0.16.0, 2.0.10...

8.6CVSS5.8AI score0.0034EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/06/18 1:6 p.m.5 views

GHSA-64MM-VXMG-Q3VJ http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

Summary http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configur...

6.9CVSS5.6AI score0.0034EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/18 1:6 p.m.9 views

Partial String Comparison

Overview Affected versions of this package are vulnerable to Partial String Comparison via the router component. An attacker can route requests to unintended backend servers by sending crafted HTTP requests with manipulated Host headers. Remediation Upgrade http-proxy-middleware to version 2.0.10...

8.6CVSS5.9AI score0.0034EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.26 views

http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

Summary http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configur...

8.6CVSS5.6AI score0.0034EPSS
Exploits1References2Affected Software1
Circl
Circl
added 2026/06/17 5:17 p.m.8 views

CVE-2026-55603

creationtimestamp| type| source ---|---|--- 2026-06-17 17:17:39+00:00| published-proof-of-concept| https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm 2026-06-23 09:03:07+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mox25jonrk2t...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References2
Circl
Circl
added 2026/06/17 5:17 p.m.11 views

CVE-2026-55602

creationtimestamp| type| source ---|---|--- 2026-06-17 17:17:28+00:00| published-proof-of-concept| https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj...

8.6CVSS5AI score0.0034EPSS
Exploits1References1
IBM Security Bulletins
IBM Security Bulletins
added 2025/12/04 2:9 p.m.9 views

Security Bulletin: IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997.

Summary IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-32996 DESCRIPTION: In http-proxy-middleware before 2.0.8 and 3.x before...

5.3CVSS6.7AI score0.00417EPSS
Exploits0Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.9 views

EUVD-2025-11355

Malicious code in bioql PyPI...

4CVSS6.3AI score0.00417EPSS
Exploits0References6
Rows per page
Query Builder