GHSA-6x33-pw7p-hmpq
Denial of Service vulnerability in http-proxy (npm)

Denial of Service No known exploit

What is GHSA-6x33-pw7p-hmpq About?

This vulnerability is a Denial of Service flaw in `http-proxy` versions prior to 1.18.1. It allows an attacker to crash the proxy server by sending an HTTP request with a long body when specific header-setting conditions are met. Exploiting this leads to server unavailability and is relatively simple.

Affected Software

http-proxy <1.18.1

Technical Details

The http-proxy library, in versions before 1.18.1, contains a Denial of Service vulnerability. This occurs when an HTTP request with an unusually long body is processed by a proxy server that also sets custom headers using proxyReq.setHeader during the proxy request. The combination of a long body and header manipulation triggers an ERR_HTTP_HEADERS_SENT unhandled exception, causing the Node.js process hosting the proxy server to crash. An attacker can exploit this by sending a POST request with a large body, like the provided curl example, to the vulnerable proxy endpoint.

What is the Impact of GHSA-6x33-pw7p-hmpq?

Successful exploitation may allow attackers to crash the proxy server, leading to a complete denial of service for all users relying on that proxy.

What is the Exploitability of GHSA-6x33-pw7p-hmpq?

Exploitation is straightforward, requiring a simple HTTP POST request with a long body. The complexity is low. No authentication is required, as the vulnerability affects the HTTP request handling itself. This is a remote vulnerability, as an attacker only needs network access to the proxy server. The primary prerequisites are that the proxy server uses http-proxy and sets headers using proxyReq.setHeader during the request forwarding process. The main risk factor is an exposed http-proxy instance that processes untrusted HTTP requests.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-6x33-pw7p-hmpq?

Available Upgrade Options

  • http-proxy
    • <1.18.1 → Upgrade to 1.18.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-6x33-pw7p-hmpq?

Similar Vulnerabilities: CVE-2020-28283 , CVE-2019-10777 , CVE-2021-44224 , CVE-2022-23529 , CVE-2023-38408

All Rights reserved 2025
Privacy Policy