Platform
nodejs
Component
http-proxy-middleware
Fixed in
2.0.7
3.0.3
2.0.7
CVE-2024-21536 describes a Denial of Service (DoS) vulnerability found in the http-proxy-middleware package. This flaw stems from an UnhandledPromiseRejection error within the micromatch dependency, allowing an attacker to potentially crash the Node.js process and disrupt server availability. The vulnerability impacts versions prior to 2.0.7 and versions 3.0.0 through 3.0.3, and a fix is available in version 2.0.7 and 3.0.3.
An attacker can exploit this vulnerability by sending specially crafted requests to specific paths handled by the http-proxy-middleware. The resulting UnhandledPromiseRejection error will cause the Node.js process to terminate unexpectedly, leading to a denial of service. This effectively renders the proxy server unavailable, impacting any applications or services relying on it. The blast radius extends to any downstream services dependent on the proxy, potentially causing cascading failures. While the vulnerability doesn't directly expose sensitive data, the disruption of service can have significant operational and business consequences.
This vulnerability was publicly disclosed on 2024-10-19. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be low to medium, reflecting the ease of exploitation and the potential impact.
Exploit Status
EPSS
0.35% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-21536 is to upgrade the http-proxy-middleware package to version 2.0.7 or 3.0.3. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include rate limiting incoming requests to the proxy server to reduce the likelihood of triggering the error, or implementing stricter input validation to filter out potentially malicious requests. Monitoring Node.js process health and implementing automatic restart mechanisms can also help mitigate the impact of crashes. After upgrading, confirm the fix by sending a test request that previously triggered the error; it should now complete successfully without crashing the process.
Update the http-proxy-middleware package to version 2.0.7 or higher, or to version 3.0.3 or higher. This corrects the denial of service vulnerability caused by an UnhandledPromiseRejection error. Run `npm install http-proxy-middleware@latest` or `yarn add http-proxy-middleware@latest` to obtain the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-21536 is a Denial of Service vulnerability in the http-proxy-middleware package, allowing attackers to crash the Node.js process by triggering an UnhandledPromiseRejection error.
You are affected if you are using http-proxy-middleware versions prior to 2.0.7 or between 3.0.0 and 3.0.3.
Upgrade to version 2.0.7 or 3.0.3. Consider rate limiting and input validation as temporary workarounds if an immediate upgrade is not possible.
There is currently no evidence of active exploitation in the wild.
Refer to the package's repository or npm advisory for the latest information: [https://github.com/lukeed/http-proxy-middleware/issues/1184](https://github.com/lukeed/http-proxy-middleware/issues/1184)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.