PatchSiren cyber security CVE debrief
CVE-2026-55603 chimurai CVE debrief
CVE-2026-55603 is a vulnerability in http-proxy-middleware, a Node.js library used for proxying HTTP requests. The vulnerability affects versions 3.0.4 to 3.0.7 and 4.1.1, where the fixRequestBody() helper function does not properly neutralize CR/LF characters in multipart/form-data requests. This allows an attacker to inject a new form part by including a CR+LF sequence in a request body value or key. As a result, an attacker can bypass gateway-side policy or validation performed on req.body, leading to a request/parameter desynchronization across the trust boundary. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. It was published on June 22, 2026, and modified on June 24, 2026.
- Vendor
- chimurai
- Product
- http-proxy-middleware
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-24
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-24
Who should care
Developers and administrators using http-proxy-middleware in their Node.js applications should be aware of this vulnerability. Specifically, those who use the library to proxy requests and handle multipart/form-data requests should take immediate action to upgrade to a patched version. Additionally, security teams and vulnerability managers should prioritize this vulnerability for assessment and remediation due to its high severity and potential impact on application security.
Technical summary
The vulnerability in http-proxy-middleware arises from the fixRequestBody() helper function, which is used to re-emit a request body that has already been consumed by a body parser. When the outgoing Content-Type is multipart/form-data, the function rebuilds the body using handlerFormDataBodyData(). However, this function interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF characters. As a result, an attacker can inject a new form part by including a CR+LF sequence in a request body value or key. This leads to a desynchronization between the gateway-side and backend parsing of the request, potentially allowing attackers to bypass security controls or inject malicious data.
Defensive priority
This vulnerability should be prioritized for immediate attention due to its high severity and potential impact on application security. Developers and security teams should work together to assess the vulnerability's impact on their applications and prioritize remediation efforts.
Recommended defensive actions
- Upgrade to a patched version of http-proxy-middleware (3.0.7 or 4.1.1) as soon as possible.
- Review and update gateway-side policy or validation performed on req.body to ensure it accounts for potential desynchronization.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Perform a thorough inventory check to identify all affected applications and systems.
- Develop and deploy compensating controls to mitigate the vulnerability until a patch can be applied.
Evidence notes
The vulnerability was published on June 22, 2026, and modified on June 24, 2026. The CVE record and NVD detail provide additional information on the vulnerability, including its CVSS score and affected versions. A mitigation or vendor reference is available on GitHub, providing guidance on how to address the vulnerability.
Official resources
-
CVE-2026-55603 CVE record
CVE.org
-
CVE-2026-55603 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
This article was generated with AI assistance based on the supplied source corpus.