CVE-2024-21536 — Denial of service in http-proxy-middleware

Description

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

How to fix CVE-2024-21536

To remediate CVE-2024-21536, upgrade the affected package to a fixed version below.

—upgrade to 2.0.7 or later

Is CVE-2024-21536 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21536
PATCHgithub.com/chimurai/http-proxy-middleware
WEBgist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a
WEBgithub.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5