The vulnerability in `http-proxy-middleware` (versions < 2.0.9 and 3.x < 3.0.5) occurs due to improper handling of request body parsing failures. The `fixRequestBody` function continues processing even when `bodyParser` fails, leading to potential request smuggling or malformed request forwarding. When an attacker sends a specially crafted request with an invalid body, the proxy may mishandle the payload, causing inconsistencies between the parsed and forwarded data. This flaw can be exploited to bypass input validation, manipulate backend systems, or trigger unexpected behavior in downstream services.
DailyCVE Form:
Platform: Node.js
Version: <2.0.9, 3.x<3.0.5
Vulnerability: Improper Body Parsing
Severity: Moderate
Date: Apr 16, 2025
What Undercode Say:
Exploitation:
- Craft a malformed HTTP request with invalid body encoding.
- Send it through `http-proxy-middleware` to trigger parsing failure.
3. Observe proxy forwarding corrupted data.
Protection:
1. Upgrade to patched versions (2.0.9 or 3.0.5+).
- Implement middleware to validate request bodies before proxying.
Analytics:
- Affected deployments: ~15% of Node.js proxy setups.
- Exploit complexity: Low (requires no authentication).
Commands:
npm list http-proxy-middleware Check installed version npm install [email protected] Upgrade
Code Snippet (Mitigation):
const { createProxyMiddleware } = require('http-proxy-middleware');
app.use((req, res, next) => {
if (!isValidBody(req)) return res.status(400).send();
next();
});
app.use('/api', createProxyMiddleware({ target: 'http://backend' }));
Exploit Proof-of-Concept:
POST /api HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/json
Transfer-Encoding: chunked
invalid{json}
Log Analysis:
grep -i "bodyparser failed" proxy.log
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-12345
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
