Skip to content

Denial of Service in http-proxy

high severity GitHub Reviewed Published Sep 4, 2020

Package

npm http-proxy (npm)

Affected versions

< 1.18.1

Patched versions

1.18.1

Description

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

References

GHSA ID

GHSA-6x33-pw7p-hmpq