CVE-2026-55603
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
The http-proxy-middleware library in versions 3.0.4 to 3.0.7 and 4.1.1 has a vulnerability related to the fixRequestBody() method. When sending data in multipart/form-data format, an attacker can inject new form parts, leading to data desynchronization between the proxy and the backend.
Risk Assessment
This vulnerability may allow attackers to manipulate data transmitted through the proxy, potentially leading to unauthorized access or data modification. Organizations should be aware of the risks associated with improper form data processing.
Recommendation
It is recommended to update the http-proxy-middleware library to versions 3.0.7 or 4.1.1 to mitigate this vulnerability. Additionally, an audit of existing security policies regarding form data processing should be conducted.
Original NVD description (English source)
http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.

