http-proxy-middleware Denial-of-Service Vulnerability in Body Parsing

A denial-of-service vulnerability has been identified in http-proxy-middleware versions prior to 2.0.9 and in the 3.x series prior to 3.0.5. The issue arises in the 'fixRequestBody' function, which continues to process the request body even when the body parser has encountered an error. This flaw can be exploited by sending a request that the body parser cannot properly process, leading to potential request handling issues.

Impact

Exploitation of this vulnerability can cause the middleware to improperly handle requests, potentially leading to application-level request processing issues or resource exhaustion.

Reproduction

The vulnerability can be reproduced by using a version of http-proxy-middleware that is either prior to 2.0.9 or in the 3.x series prior to 3.0.5. Send a request with a body that the parser cannot process, such as one containing invalid multipart data or an improperly formatted JSON payload. The 'fixRequestBody' function will be invoked, but it will not correctly address the malformed data, allowing the request to be processed as if it were valid.

Remediation

Users can upgrade to http-proxy-middleware version 2.0.9 or 3.0.5 to address this vulnerability.