http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-187",
"CWE-20"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55602.json"
}{
"extracted_events": [
{
"introduced": "0.16.0"
},
{
"fixed": "2.0.10"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.6"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.0"
}
],
"cpe": "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE"
}