CVE-2026-55602 chimurai CVE debrief

Who should care

Developers and administrators using http-proxy-middleware in their applications should be aware of this vulnerability. The vulnerability can be exploited by sending a crafted Host header, which can route a request to an unintended backend. Users of http-proxy-middleware should update to a fixed version to prevent exploitation.

Technical summary

The http-proxy-middleware vulnerability exists due to unanchored substring matching on attacker-controlled request metadata. The host+path implementation uses a flawed matching mechanism, allowing a crafted Host header to route a request to an unintended backend. The vulnerability affects versions 0.16.0 until 2.0.10, 3.0.6, and 4.1.0. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

This vulnerability has a MEDIUM severity and a CVSS score of 6.9. It is recommended to update to a fixed version of http-proxy-middleware to prevent exploitation.

Recommended defensive actions

• Update to version 2.0.10, 3.0.6, or 4.1.0 of http-proxy-middleware
• Review and update affected applications using http-proxy-middleware
• Monitor for suspicious activity and implement compensating controls
• Verify and validate Host headers in incoming requests
• Implement additional security measures to prevent exploitation

Evidence notes

The vulnerability is documented in the CVE record and the NVD detail page. The source item URL provides additional information on the vulnerability. The mitigation or vendor reference provides information on the fixed versions.

Official resources