Description
http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.
Published: 2026-06-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the http-proxy-middleware Node.js library, in the helper function fixRequestBody. It rebuilds multipart/form-data request bodies without neutralizing CR/LF characters. When a request contains a CRLF embedded in a key or value, the proxy terminates the current form part and injects a new part, leading to a desynchronization between what the proxy’s upstream validation sees and what the downstream backend actually receives. This can allow attackers to bypass input validation or append malicious parameters to the request body.

Affected Systems

The issue affects chimurai/http-proxy-middleware versions 3.0.4 through 3.0.7 and 4.1.1. The problem occurs only when fixRequestBody is used to re-emit multipart/form-data bodies.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this by sending a crafted multipart/form-data request through the proxy to an internal service, without requiring privileged access. The injected form part may alter downstream processing or introduce malicious payloads if the backend forwards or executes the data.

Generated by OpenCVE AI on June 22, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to http-proxy-middleware v3.0.7 or v4.1.1 or later, where the CRLF filtering logic has been fixed.
  • If an upgrade is not feasible, avoid using fixRequestBody when handling multipart/form-data or implement a custom body reassembly that properly escapes or filters CR/LF characters.
  • Ensure downstream services perform independent validation of raw multipart/form-data, rather than relying solely on the proxy’s parsed representation.

Generated by OpenCVE AI on June 22, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcq2-9pq2-cxqm http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
History

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Chimurai
Chimurai http-proxy-middleware
Vendors & Products Chimurai
Chimurai http-proxy-middleware

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.
Title http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N'}

Subscriptions

Chimurai Http-proxy-middleware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:07:05.034Z

Reserved: 2026-06-16T23:31:22.444Z

Link: CVE-2026-55603

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')