Aikido Intel
Secure My Code
Intel

AIKIDO-2026-286573

http-proxy-middleware is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 5 days ago

65

Medium Risk

This Affects:

JShttp-proxy-middleware
3.0.0 - 3.0.5
Fixed in 3.0.6
4.0.0 - 4.0.0
Fixed in 4.1.0
Are you affected? Scan for Free

TL;DR

The router object matcher in http-proxy-middleware selects upstream targets from a proxy table using substring checks over the request host and URL. A crafted Host header can match a shorter configured host+path key and forward the request to an unintended configured upstream. Before the fix, requests could be proxied to the wrong backend in multi-host router tables. The patch enforces exact host equality and prefix-only path matching for host+path keys.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure the router option as an object mapping hosts or host+path keys to upstream targets.

Background info

http-proxy-middleware is vulnerable to Server-Side Request Forgery (SSRF) in versions 3.0.0 - 3.0.5 and 4.0.0 - 4.0.0.

How to fix this

Upgrade the http-proxy-middleware library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done