4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32997

CVE-2025-32997: http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed

In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32997

CVE-2025-32997:

4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
http-proxy-middleware	npm	>= 3.0.0, < 3.0.5	3.0.5
http-proxy-middleware	npm	>= 1.3.0, < 2.0.9	2.0.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that fixRequestBody proceeds even if bodyParser has failed. The provided commit 1bdccbeec243850f1d2bb50ea0ff2151e725d67e directly addresses this by adding a condition at the beginning of the fixRequestBody function in src/handlers/fix-request-body.ts. This new condition checks req.readableLength and returns if it's not zero, which signifies that bodyParser did not successfully parse the entire request body, or failed. Before this change, fixRequestBody would continue its execution path regardless of bodyParser's success, making it the function where the vulnerability manifested. The test file test/unit/fix-request-body.spec.ts also shows changes related to this logic, specifically in the test case it('should not fixRequestBody() when there bodyParser fails'), confirming that the behavior of fixRequestBody under bodyParser failure conditions was the focus of the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32997: http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed

CVE-2025-32997:

4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4

4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-32997: http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI