CVE-2026-55602
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.
Risk Assessment
An attacker can bypass routing rules and redirect requests to an unauthorized backend, potentially leading to data disclosure, integrity compromise, or further attacks on internal systems.
Recommendation
Immediately update http-proxy-middleware to version 2.0.10, 3.0.6, or 4.1.0, depending on the major version in use.
Original NVD description (English source)
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.

