CVE-2026-55603
Analyzed Analyzed - Analysis Complete

HTTP Request Smuggling in http-proxy-middleware

Vulnerability report for CVE-2026-55603, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
chimurai http-proxy-middleware From 3.0.4 (inc) to 3.0.7 (exc)
chimurai http-proxy-middleware From 4.0.0 (inc) to 4.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the node.js http-proxy-middleware library versions from 3.0.4 until 3.0.7 and 4.1.1 in the fixRequestBody() helper function. When the outgoing Content-Type is multipart/form-data, the function rebuilds the request body by interpolating each key and value directly into the multipart format without neutralizing carriage return and line feed characters (CR/LF). An attacker can exploit this by injecting a \r\n inside a value or key, which allows them to close the current part and inject a new form part. This causes a desynchronization between what the proxy's body parser sees and what the upstream backend ultimately parses.

Impact Analysis

This vulnerability can lead to a request/parameter desynchronization across the trust boundary between the proxy and the backend server. Because the proxy evaluates gateway-side policies or validations on a different set of fields than the backend ultimately processes, an attacker can bypass security controls or inject malicious data. This can result in unauthorized actions or data manipulation, impacting the integrity of the application.

Mitigation Strategies

The vulnerability is fixed in versions 3.0.7 and 4.1.1 of the http-proxy-middleware library.

To mitigate this vulnerability, you should upgrade your http-proxy-middleware dependency to version 3.0.7 or later, or 4.1.1 or later.

Compliance Impact

This vulnerability causes a request/parameter desynchronization across the trust boundary, meaning that gateway-side policy or validation performed on the request body is evaluated against a different set of fields than the upstream backend ultimately parses.

Such desynchronization can lead to bypassing security controls or validation mechanisms that are critical for compliance with standards and regulations like GDPR or HIPAA, which require accurate and consistent data handling and validation.

Therefore, this vulnerability could potentially impact compliance by allowing attackers to inject unauthorized form parts that evade detection or validation, undermining data integrity and security controls mandated by these regulations.

Detection Guidance

This vulnerability involves improper neutralization of CRLF sequences in multipart/form-data requests handled by the http-proxy-middleware library versions 3.0.4 to 3.0.6 and 4.0.0 to 4.1.0. Detection involves identifying if your system is running a vulnerable version of http-proxy-middleware and monitoring for suspicious multipart/form-data requests containing CRLF characters in form keys or values.

To detect exploitation attempts on your network, you can capture and inspect HTTP requests for multipart/form-data content types that include CRLF sequences (\r\n) within form field names or values, which are unusual and indicative of an attack.

Example commands to help detect such requests include using network packet capture and text search tools:

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Filter captured traffic for multipart/form-data and CRLF sequences using grep: grep -a -E 'Content-Type: multipart/form-data|\r\n' capture.pcap
  • If HTTPS is used, inspect application logs or proxy logs for multipart/form-data requests containing suspicious CRLF characters in form fields.

Additionally, verify the version of http-proxy-middleware in your environment by checking your package.json or running: npm list http-proxy-middleware

If the version is between 3.0.4 and 3.0.6 or between 4.0.0 and 4.1.0, your system is vulnerable and should be updated to 3.0.7 or 4.1.1 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart