httpxy is vulnerable to HTTP Request Smuggling
63
Medium Risk
httpxy proxies HTTP requests to upstream servers and, since default keep-alive agents were enabled, reuses upstream sockets across requests. Before the fix, an outgoing request carrying a transfer-encoding (chunked) header could reuse an upstream keep-alive socket, so a request-boundary disagreement at a lenient upstream could desynchronize the connection and let a smuggled request poison a later user's response. The 307/308 redirect replay path and a Connection: upgrade combined with a chunked body shared the same weakness. The fix adds a forceConnectionCloseForTransferEncoding helper and forces connection: close on every outgoing path whenever the request carries transfer-encoding, so the upstream socket is torn down after use and cannot be reused.
You are affected if you are using a version that falls within the vulnerable range.
httpxy is vulnerable to HTTP Request Smuggling in versions 0.5.0 - 0.5.4.
Upgrade the httpxy library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant