CVE-2026-55602
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
http-proxy-middleware is a widely used Node.js HTTP proxy middleware for Connect, Express, and similar frameworks, built on top of http-proxy. It lets applications forward matching requests to one or more backend targets, including through a documented router proxy-table that selects a backend by host, path, or host+path.
A medium-severity improper input validation vulnerability (CVE-2026-55602) has been identified in http-proxy-middleware. The routing tool is designed to direct traffic based on specific host or path rules. However, it contains a flaw in how it validates these requests. Instead of verifying the full address exactly, the system performs a loose search on the combined host and path information. This allows an attacker to trick the system by providing a deceptive request, which leads the proxy to send traffic to an unintended destination.
Per OWASP: improper input validation occurs when software does not validate, or incorrectly validates, input that can affect the control or data flow of a program. When untrusted input is not properly validated, an attacker can craft input in a form that is not expected by the rest of the application, causing the system to behave in unintended ways.
Details
Module Info
- Product: Http Proxy Middleware
- Affected packages: http-proxy-middleware
- Affected versions: >=0.16.0 <2.0.10, >=3.0.0 <3.0.6, >=4.0.0 <4.1.0
- GitHub repository: https://github.com/chimurai/http-proxy-middleware
- Published packages: https://www.npmjs.com/package/http-proxy-middleware
- Package manager: npm
- Fixed in:
- OSS v2.0.10, v3.0.6, v4.1.0
- NES for http-proxy-middleware 0.19.4
Vulnerability Info
This medium-severity vulnerability is found in versions of http-proxy-middleware from 0.16.0 up to the fixed 2.0.10, 3.0.6, and 4.1.0 releases.
The router proxy-table feature is vulnerable because it uses a loose substring match to validate traffic rather than verifying exact host and path criteria. This allows attackers to craft requests that contain the target configuration as a substring, bypassing routing rules to redirect traffic to unintended backends. For a rule such as { 'localhost:3000/api': 'http://alt-backend' }, a request with Host: evillocalhost:3000 and path /api concatenates to evillocalhost:3000/api, which still contains localhost:3000/api, so the request is proxied to alt-backend even though the host is not localhost:3000.
This vulnerability could be exploited by:
- enabling the documented router proxy-table with at least one host+path rule
- sending an ordinary HTTP request with a crafted Host header that is a superstring of a configured host+path key
- causing getTargetFromProxyTable() to accept the crafted host via substring matching and proxy the request to an unintended backend
Mitigation
Versions of http-proxy-middleware that have reached End-of-Life will not receive any updates to address this issue.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a fixed version of http-proxy-middleware (2.0.10, 3.0.6, 4.1.0, or newer).
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Reporters: @Str1ckl4nd, @Zyy0530, @7thParkk
- Analysts: @G-Rath, @ethantkoenig