CVE-2026-55602
Analyzed Analyzed - Analysis Complete

http-proxy-middleware Host Header Path Traversal

Vulnerability report for CVE-2026-55602, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
chimurai http-proxy-middleware From 0.16.0 (inc) to 2.0.10 (exc)
chimurai http-proxy-middleware From 3.0.0 (inc) to 3.0.6 (exc)
chimurai http-proxy-middleware From 4.0.0 (inc) to 4.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in http-proxy-middleware affects the router feature's host+path substring matching mechanism. The middleware uses unanchored substring matching on the Host header combined with the request path to determine backend routing. An attacker can craft a Host header that is a superstring containing a configured host+path key, causing the request to be routed to an unintended backend.

For example, if the router key is "localhost:3000/api" and the attacker sends a Host header like "evillocalhost:3000", the concatenated string "evillocalhost:3000/api" still contains the router key as a substring. This causes the request to be proxied incorrectly.

This happens because the middleware checks if the concatenated Host header and path string contains the router key anywhere, rather than matching it exactly or anchored, allowing bypass of intended routing rules.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated external clients to bypass routing boundaries within your application.

Specifically, it can cause backend-selection integrity issues, where requests are routed to unintended backends. This can break tenant separation or segregation between public and sensitive upstream services.

While it does not directly compromise confidentiality or availability, it can lead to unauthorized access to different backend services, potentially exposing sensitive data or functionality.

Detection Guidance

This vulnerability can be detected by checking if your system is running a vulnerable version of the http-proxy-middleware library (versions >= 0.16.0 < 2.0.10, >= 3.0.0 < 3.0.6, and >= 4.0.0 < 4.1.0) and if the proxy-table router feature is enabled with host+path rules.

To detect potential exploitation attempts on your network, you can monitor HTTP requests for suspicious Host headers that are superstrings of configured host+path keys.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests with unusual Host headers.
  • Example tcpdump command to capture HTTP requests with Host headers containing a specific substring (replace example.com with your configured host):

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host: evillocalhost'

  • Check your application logs for requests with Host headers that do not exactly match configured hosts but contain them as substrings.
Mitigation Strategies

The immediate mitigation step is to upgrade the http-proxy-middleware library to a fixed version: 2.0.10, 3.0.6, or 4.1.0 or later.

If upgrading immediately is not possible, consider disabling the proxy-table router feature or avoid using host+path rules until the update can be applied.

Additionally, implement strict validation of Host headers in your application or at the proxy level to reject unexpected or malformed Host headers.

Compliance Impact

The vulnerability in http-proxy-middleware allows unauthenticated external clients to bypass routing boundaries, potentially accessing unintended backend systems. This backend-selection integrity issue can lead to unauthorized access to sensitive or segregated data environments.

Such unauthorized access risks violating compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over data access and tenant separation to protect personal and sensitive information.

Although the vulnerability does not directly compromise confidentiality or availability, the potential for unauthorized backend access could result in non-compliance with these regulations due to improper data segregation and access control failures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart