CVE-2026-55602
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
| CWE | CWE-20 CWE-187 |
| Vendor | chimurai |
| Product | http-proxy-middleware |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for chimurai http-proxy-middleware
Be the first to know when new unknown vulnerabilities affecting chimurai http-proxy-middleware are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
chimurai / http-proxy-middleware
>= 4.0.0, < 4.1.0 >= 3.0.0, < 3.0.6 >= 0.16.0, < 2.0.10