CVE Catalog

CVE-2026-55602

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.

Risk Assessment

An attacker can bypass routing rules and redirect requests to an unauthorized backend, potentially leading to data disclosure, integrity compromise, or further attacks on internal systems.

Recommendation

Immediately update http-proxy-middleware to version 2.0.10, 3.0.6, or 4.1.0, depending on the major version in use.

Original NVD description (English source)

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS