CVE-2024-21536

CVE-2024-21536 affects http-proxy-middleware: versions before 2.0.7, and 3.0.0–before 3.0.3, are vulnerable to DoS due to an unhandled rejection in micromatch that can crash a Node.js server. The fix is in 2.0.7 (and 3.x later 3.0.3). Remediate by upgrading to a version containing the fix (e.g., ...

CVE-2025-32996

CVE-2025-32996 affects the http-proxy-middleware project where, in versions before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because an else-if is missing. This is the underlying root cause and is reflected in related IBM and IBM X-Force bulletins that cite the same description. T...

CVE-2025-32997

In CVE-2025-32997, the http-proxy-middleware has a flaw where fixRequestBody proceeds even if bodyParser has failed, affecting versions: 2.0.7/2.0.8 (before 2.0.9) and 3.x before 3.0.5. The Connected IBM bulletin confirms the root cause and lists remediation: upgrade to http-proxy-middleware v2.0...

CVE-2026-55602

The CVE-2026-55602 issue affects http-proxy-middleware (Node.js) versions 0.16.0 through 2.0.10, 3.0.6, and 4.1.0. The host+path router uses unanchored substring matching on attacker-controlled request metadata, enabling a crafted Host header that is a superstring match for a configured key to ro...

CVE-2026-55603

CVE-2026-55603 affects http-proxy-middleware (Node.js). In versions 3.0.4–3.0.7 and 4.1.1, fixRequestBody() rebuilds multipart/form-data by interpolating req.body into the wire format without neutralizing CR/LF. This can let an attacker inject a new multipart part (via unescaped CRLF in keys/valu...