CVE-2026-55602
Received Received - Intake
http-proxy-middleware Host Header Path Traversal

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-55602
EUVD
EUVD-2026-38300
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
chimurai http-proxy-middleware From 0.16.0 (inc) to 2.0.10 (exc)
chimurai http-proxy-middleware From 3.0.0 (inc) to 3.0.6 (exc)
chimurai http-proxy-middleware From 4.0.0 (inc) to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in http-proxy-middleware affects the router feature's host+path substring matching mechanism. The middleware uses unanchored substring matching on the Host header combined with the request path to determine backend routing. An attacker can craft a Host header that is a superstring containing a configured host+path key, causing the request to be routed to an unintended backend.

For example, if the router key is "localhost:3000/api" and the attacker sends a Host header like "evillocalhost:3000", the concatenated string "evillocalhost:3000/api" still contains the router key as a substring. This causes the request to be proxied incorrectly.

This happens because the middleware checks if the concatenated Host header and path string contains the router key anywhere, rather than matching it exactly or anchored, allowing bypass of intended routing rules.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated external clients to bypass routing boundaries within your application.

Specifically, it can cause backend-selection integrity issues, where requests are routed to unintended backends. This can break tenant separation or segregation between public and sensitive upstream services.

While it does not directly compromise confidentiality or availability, it can lead to unauthorized access to different backend services, potentially exposing sensitive data or functionality.

Detection Guidance

This vulnerability can be detected by checking if your system is running a vulnerable version of the http-proxy-middleware library (versions >= 0.16.0 < 2.0.10, >= 3.0.0 < 3.0.6, and >= 4.0.0 < 4.1.0) and if the proxy-table router feature is enabled with host+path rules.

To detect potential exploitation attempts on your network, you can monitor HTTP requests for suspicious Host headers that are superstrings of configured host+path keys.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests with unusual Host headers.
  • Example tcpdump command to capture HTTP requests with Host headers containing a specific substring (replace example.com with your configured host):

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host: evillocalhost'

  • Check your application logs for requests with Host headers that do not exactly match configured hosts but contain them as substrings.
Mitigation Strategies

The immediate mitigation step is to upgrade the http-proxy-middleware library to a fixed version: 2.0.10, 3.0.6, or 4.1.0 or later.

If upgrading immediately is not possible, consider disabling the proxy-table router feature or avoid using host+path rules until the update can be applied.

Additionally, implement strict validation of Host headers in your application or at the proxy level to reject unexpected or malformed Host headers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart