CVE-2024-21536
HIGHChimurai Http-proxy-middleware < 2.0.7 - Denial of Service
Title source: ruleDescription
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
References (4)
Core 4
Core References
Exploit, Third Party Advisory
https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a
Patch
https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5
Patch
https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
Scores
CVSS v3
7.5
EPSS
0.0035
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
chimurai/http-proxy-middleware
< 2.0.7
npm/http-proxy-middleware
0 - 2.0.7npm
Published
Oct 19, 2024
Tracked Since
Feb 18, 2026