http-proxy-middleware Denial-of-Service Vulnerability via Improper Header Management

A denial-of-service vulnerability has been identified in http-proxy-middleware versions prior to 2.0.8 and in the 3.x series prior to 3.0.4. The issue arises because the writeBody function can be invoked multiple times, leading to the error 'Cannot set headers after they are sent to the client'. This flaw is caused by an improper conditional structure that allows for multiple writes to the response, which can disrupt the normal flow of header management in HTTP responses.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by disrupting the proper handling of HTTP response headers, potentially leading to errors that can be exploited to cause further disruption or degradation of service.

Reproduction

The vulnerability can be reproduced by sending a request to a server using http-proxy-middleware with a Content-Type header that includes 'application/x-www-form-urlencoded+json' or 'multipart/form-data'. The server will process the request body incorrectly, allowing the writeBody function to be called multiple times. This can be automated with a script that sends such requests to the server, simulating a denial-of-service condition by causing the server to respond with an error about headers being set too late.

Remediation

Users can upgrade to http-proxy-middleware versions 2.0.8 or 3.0.4 to address this vulnerability.