CVE-2024-21536
Denial of Service (DoS) vulnerability in http-proxy-middleware (npm)
What is CVE-2024-21536 About?
This is a Denial of Service (DoS) vulnerability in http-proxy-middleware that can crash a Node.js server. It is caused by an UnhandledPromiseRejection error triggered by micromatch when certain paths are requested. Exploitation is simple for an attacker who can make specific HTTP requests.
Affected Software
- http-proxy-middleware
- >3.0.0, <3.0.3
- <2.0.7
Technical Details
The http-proxy-middleware package, specifically versions before 2.0.7 and between 3.0.0 and 3.0.3, is vulnerable to a Denial of Service (DoS) condition. This vulnerability arises when an attacker makes requests to certain crafted paths. These paths, when processed by the underlying micromatch dependency, can trigger an UnhandledPromiseRejection error. In a Node.js environment, an unhandled promise rejection typically leads to the termination of the process, effectively crashing the server and causing a denial of service.
What is the Impact of CVE-2024-21536?
Successful exploitation may allow attackers to crash the Node.js process and shut down the server, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2024-21536?
Exploitation of this DoS vulnerability is likely of low complexity. An attacker needs remote access to the application using http-proxy-middleware and the ability to make HTTP requests with crafted paths. No specific authentication or elevated privileges are required, making it an unauthenticated attack if the vulnerable proxy is publicly accessible. The attack vector is direct HTTP requests, and the likelihood of exploitation increases significantly if the application does not validate or sanitize incoming request paths, allowing arbitrary strings to be passed to micromatch.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21536?
About the Fix from Resolved Security
This patch ensures that if the pathFilter function throws an error, the proxy middleware logs the error and safely returns false, preventing the proxy action and responding with a 404 status instead of propagating the error. This fix addresses CVE-2024-21536 by preventing potential denial-of-service and information disclosure attacks that could occur when an attacker triggers exceptions in custom pathFilter implementations.
Available Upgrade Options
- http-proxy-middleware
- <2.0.7 → Upgrade to 2.0.7
- http-proxy-middleware
- >3.0.0, <3.0.3 → Upgrade to 3.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/chimurai/http-proxy-middleware
- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22
- https://nvd.nist.gov/vuln/detail/CVE-2024-21536
- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5
- https://osv.dev/vulnerability/GHSA-c7qv-q95q-8v27
- https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
- https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a
- https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22
- https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5
What are Similar Vulnerabilities to CVE-2024-21536?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-38035 , CVE-2022-23485 , CVE-2021-39139 , CVE-2021-23425
