Description
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

http-proxy-middleware implements router proxy-table entries that can match on a host, on a path, or on a combination of host and path. In the affected releases the host+path selector performs an unanchored substring comparison against the value of the Host header, which an attacker can control. A crafted Host header that is only a superstring of the configured host+path key therefore causes the proxy to forward the request to a backend that was not intended to be exposed through that host+path route. The vulnerability allows an attacker to influence which internal service receives the request, potentially exposing services that are considered internal or not publicly reachable.

Affected Systems

The vulnerable product is chimurai:http-proxy-middleware. Versions from 0.16.0 through 2.0.9, all 3.0.x releases preceding 3.0.6, and all 4.0.x releases preceding 4.1.0 contain the flaw. The fix, which corrects the host+path matching logic, is included in 2.0.10, 3.0.6, 4.1.0 and newer releases.

Risk and Exploitability

The flaw carries a CVSS v3.1 score of 6.9, indicating a moderate severity. The EPSS score is < 1%, showing a very low current likelihood of being exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is a remote HTTP request to the proxy. Successful exploitation requires that the proxy be exposed to external traffic and that the running version is vulnerable. No publicly documented exploit code exists; detection would involve inspecting Host header handling through testing tools.

Generated by OpenCVE AI on June 25, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade http-proxy-middleware to 2.0.10, 3.0.6, 4.1.0 or a newer release that includes the host+path matching fix.
  • If an upgrade is not immediately possible, reconfigure the proxy to avoid using host+path selectors or disable routing based on the Host header entirely.
  • Apply network segmentation and firewall rules to restrict inbound traffic to the proxy and block direct access to internal back‑ends, limiting the potential impact of a routing bypass.

Generated by OpenCVE AI on June 25, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-64mm-vxmg-q3vj http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
History

Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Chimurai
Chimurai http-proxy-middleware
Vendors & Products Chimurai
Chimurai http-proxy-middleware

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
Title http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Weaknesses CWE-187
CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Chimurai Http-proxy-middleware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T14:18:06.403Z

Reserved: 2026-06-16T23:18:03.170Z

Link: CVE-2026-55602

cve-icon Vulnrichment

Updated: 2026-06-23T14:17:26.133Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:58:08Z

Links: CVE-2026-55602 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:30:06Z

Weaknesses
  • CWE-187

    Partial String Comparison

  • CWE-20

    Improper Input Validation

  • CWE-346

    Origin Validation Error