CVE-2026-55602

Improper Input Validation (4.16)
Affects
Http Proxy Middleware
in
Node.js
No items found.
Versions
>=0.16.0 <2.0.10 >=3.0.0 <3.0.6 >=4.0.0 <4.1.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

http-proxy-middleware is a widely used Node.js HTTP proxy middleware for Connect, Express, and similar frameworks, built on top of http-proxy. It lets applications forward matching requests to one or more backend targets, including through a documented router proxy-table that selects a backend by host, path, or host+path.

A medium-severity improper input validation vulnerability (CVE-2026-55602) has been identified in http-proxy-middleware. The routing tool is designed to direct traffic based on specific host or path rules. However, it contains a flaw in how it validates these requests. Instead of verifying the full address exactly, the system performs a loose search on the combined host and path information. This allows an attacker to trick the system by providing a deceptive request, which leads the proxy to send traffic to an unintended destination.

Per OWASP: improper input validation occurs when software does not validate, or incorrectly validates, input that can affect the control or data flow of a program. When untrusted input is not properly validated, an attacker can craft input in a form that is not expected by the rest of the application, causing the system to behave in unintended ways.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in versions of http-proxy-middleware from 0.16.0 up to the fixed 2.0.10, 3.0.6, and 4.1.0 releases.

The router proxy-table feature is vulnerable because it uses a loose substring match to validate traffic rather than verifying exact host and path criteria. This allows attackers to craft requests that contain the target configuration as a substring, bypassing routing rules to redirect traffic to unintended backends. For a rule such as { 'localhost:3000/api': 'http://alt-backend' }, a request with Host: evillocalhost:3000 and path /api concatenates to evillocalhost:3000/api, which still contains localhost:3000/api, so the request is proxied to alt-backend even though the host is not localhost:3000.

This vulnerability could be exploited by:

  • enabling the documented router proxy-table with at least one host+path rule
  • sending an ordinary HTTP request with a crafted Host header that is a superstring of a configured host+path key
  • causing getTargetFromProxyTable() to accept the crafted host via substring matching and proxy the request to an unintended backend

Mitigation

Versions of http-proxy-middleware that have reached End-of-Life will not receive any updates to address this issue.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of http-proxy-middleware (2.0.10, 3.0.6, 4.1.0, or newer).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-55602
PROJECT Affected
Http Proxy Middleware
Versions Affected
>=0.16.0 <2.0.10 >=3.0.0 <3.0.6 >=4.0.0 <4.1.0
NES Versions Affected
Published date
July 14, 2026
≈ Fix date
July 8, 2026
Category
Improper Input Validation (4.16)
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Node.js
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.