Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Affected Packages

npm http-proxy-middleware

Affected versions: 0 (fixed in 2.0.7)

npm http-proxy-middleware

Affected versions: 3.0.0 (fixed in 3.0.3)

Related CVEs

CVE-2024-21536

Key Information

GHSA ID

GHSA-c7qv-q95q-8v27

Published

October 19, 2024 6:30 AM

Last Modified

October 22, 2024 7:47 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

http-proxy-middleware

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.