6 matches found
NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 3.0.4, 3.0.7...
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Summary fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData, which interpolates each req.body key and value directly in...
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection via the fixRequestBody function. An attacker can inject or override multipart form fields, potentially bypassing gateway-side validation or access controls, by supplying crafted input containing carriage return and line...
PT-2026-50735
Name of the Vulnerable Software and Affected Versions http-proxy-middleware versions 3.0.4 through 3.0.6 http-proxy-middleware versions prior to 4.1.1 Description An issue exists in the fixRequestBody helper function when the outgoing Content-Type is set to multipart/form-data. The function uses...
Improper Check for Unusual or Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the fixRequestBody function, which processes certain invalid requests without error. An attacker can manipulate the request body by sending requests that violate the expected...
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed...