CVE-2024-21536: Denial of service in http-proxy-middleware
(updated )
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
References
- gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a
- github.com/advisories/GHSA-c7qv-q95q-8v27
- github.com/chimurai/http-proxy-middleware
- github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5
- github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22
- nvd.nist.gov/vuln/detail/CVE-2024-21536
- security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
Code Behaviors & Features
Detect and mitigate CVE-2024-21536 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →