Skip to content

Denial of Service in http-proxy

High severity GitHub Reviewed Published Sep 4, 2020 to the GitHub Advisory Database • Updated Jan 29, 2024

Package

npm http-proxy (npm)

Affected versions

< 1.18.1

Patched versions

1.18.1

Description

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 4, 2020
Last updated Jan 29, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6x33-pw7p-hmpq

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.