7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21536

GHSA ID

GHSA-c7qv-q95q-8v27

EPSS Score

0.38233%

CWE

CWE-400

Published

10/19/2024

Updated

10/22/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21536

CVE-2024-21536: Denial of service in http-proxy-middleware

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21536

GHSA ID

GHSA-c7qv-q95q-8v27

EPSS Score

0.38233%

CWE

CWE-400

Published

10/19/2024

Updated

10/22/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
http-proxy-middleware	npm	< 2.0.7	2.0.7
http-proxy-middleware	npm	>= 3.0.0, < 3.0.3	3.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that a Denial of Service occurs due to an UnhandledPromiseRejection error thrown by micromatch when processing certain paths. The provided commit patches (0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5 and 788b21e4aff38332d6319557d4a5b1b13b1f9a22) both modify the shouldProxy method within the HttpProxyMiddleware class in src/http-proxy-middleware.ts.

In both commits, the change involves wrapping the call to path matching functions (contextMatcher.match in the older version, and matchPathFilter in the newer version) within a try-catch block. This directly addresses the issue of unhandled errors originating from the path matching logic (which relies on micromatch).

Therefore, the HttpProxyMiddleware.shouldProxy method, in its state before these patches, is the vulnerable function. It processes request paths (via the matcher functions) and lacked the necessary error handling, making it the point in the http-proxy-middleware codebase where the micromatch error would lead to a DoS. This function would appear in a runtime profile or stack trace when the vulnerability is triggered by a malicious request path that causes micromatch to throw an unhandled error.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *ttp-proxy-mi**l*w*r* ***or* *.*.*, *rom *.*.* *n* ***or* *.*.* *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) *u* to *n Un**n*l**Promis*R*j**tion *rror t*rown *y mi*rom*t**. *n *tt**k*r *oul* kill t** No**.js pro**ss *n* *r*s* t**

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t * **ni*l o* S*rvi** o**urs *u* to *n Un**n*l**Promis*R*j**tion *rror t*rown *y `mi*rom*t**` w**n pro**ssin* **rt*in p*t*s. T** provi*** *ommit p*t***s (**************************************** *n* ***********

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-21536: Denial of service in http-proxy-middleware

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI