CVE-2026-55603
Received Received - Intake
HTTP Request Smuggling in http-proxy-middleware

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55603
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nodejs http-proxy-middleware From 3.0.4 (inc) to 3.0.7 (inc)
nodejs http-proxy-middleware 3.0.7
nodejs http-proxy-middleware 4.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the node.js http-proxy-middleware library versions from 3.0.4 until 3.0.7 and 4.1.1 in the fixRequestBody() helper function. When the outgoing Content-Type is multipart/form-data, the function rebuilds the request body by interpolating each key and value directly into the multipart format without neutralizing carriage return and line feed characters (CR/LF). An attacker can exploit this by injecting a \r\n inside a value or key, which allows them to close the current part and inject a new form part. This causes a desynchronization between what the proxy's body parser sees and what the upstream backend ultimately parses.

Impact Analysis

This vulnerability can lead to a request/parameter desynchronization across the trust boundary between the proxy and the backend server. Because the proxy evaluates gateway-side policies or validations on a different set of fields than the backend ultimately processes, an attacker can bypass security controls or inject malicious data. This can result in unauthorized actions or data manipulation, impacting the integrity of the application.

Mitigation Strategies

The vulnerability is fixed in versions 3.0.7 and 4.1.1 of the http-proxy-middleware library.

To mitigate this vulnerability, you should upgrade your http-proxy-middleware dependency to version 3.0.7 or later, or 4.1.1 or later.

Compliance Impact

This vulnerability causes a request/parameter desynchronization across the trust boundary, meaning that gateway-side policy or validation performed on the request body is evaluated against a different set of fields than the upstream backend ultimately parses.

Such desynchronization can lead to bypassing security controls or validation mechanisms that are critical for compliance with standards and regulations like GDPR or HIPAA, which require accurate and consistent data handling and validation.

Therefore, this vulnerability could potentially impact compliance by allowing attackers to inject unauthorized form parts that evade detection or validation, undermining data integrity and security controls mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart