Impact
http-proxy-middleware implements router proxy-table entries that can match on a host, on a path, or on a combination of host and path. In the affected releases the host+path selector performs an unanchored substring comparison against the value of the Host header, which an attacker can control. A crafted Host header that is only a superstring of the configured host+path key therefore causes the proxy to forward the request to a backend that was not intended to be exposed through that host+path route. The vulnerability allows an attacker to influence which internal service receives the request, potentially exposing services that are considered internal or not publicly reachable.
Affected Systems
The vulnerable product is chimurai:http-proxy-middleware. Versions from 0.16.0 through 2.0.9, all 3.0.x releases preceding 3.0.6, and all 4.0.x releases preceding 4.1.0 contain the flaw. The fix, which corrects the host+path matching logic, is included in 2.0.10, 3.0.6, 4.1.0 and newer releases.
Risk and Exploitability
The flaw carries a CVSS v3.1 score of 6.9, indicating a moderate severity. The EPSS score is < 1%, showing a very low current likelihood of being exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is a remote HTTP request to the proxy. Successful exploitation requires that the proxy be exposed to external traffic and that the running version is vulnerable. No publicly documented exploit code exists; detection would involve inspecting Host header handling through testing tools.
OpenCVE Enrichment
Github GHSA