Description
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
Severity (CVSS)
| Base score | 6.9 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-20 — CWE-20: Improper Input Validation
- CWE-187 — CWE-187: Partial String Comparison
Affected products
| Vendor | Product | Versions |
|---|---|---|
| chimurai | http-proxy-middleware | >= 4.0.0, < 4.1.0; >= 3.0.0, < 3.0.6; >= 0.16.0, < 2.0.10 |
References
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.