CVE-2026-55602: http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

June 18, 2026 (updated June 23, 2026)

http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend.

References

github.com/advisories/GHSA-64mm-vxmg-q3vj
github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj
nvd.nist.gov/vuln/detail/CVE-2026-55602

Code Behaviors & Features

Detect and mitigate CVE-2026-55602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →