CVE-2026-55603
CVE-2026-55603 is a high-severity vulnerability in Chimurai Http-proxy-middleware with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-93.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (15th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38349
- Weakness: CWE-93
- Affected product: Chimurai Http-proxy-middleware
- Published:
- Last modified:
Description
http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.
Frequently asked questions
- What is CVE-2026-55603?
- http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.
- How severe is CVE-2026-55603?
- CVE-2026-55603 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability none.
- Is CVE-2026-55603 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-55603?
- CVE-2026-55603 affects Chimurai Http-proxy-middleware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-55603?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-55603 have an EU (EUVD) identifier?
- Yes. CVE-2026-55603 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38349.
- When was CVE-2026-55603 published?
- CVE-2026-55603 was published on 2026-06-22 and last updated on 2026-06-24.
References
Affected products (1)
- cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*
More vulnerabilities in Chimurai Http-proxy-middleware
- CVE-2026-55602 — High (CVSS 8.6): http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0,…
- CVE-2024-21536 — High (CVSS 7.5): Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of…
- CVE-2025-32997 — Medium (CVSS 4.0): In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
- CVE-2025-32996 — Medium (CVSS 4.0): In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
All CVEs affecting Chimurai Http-proxy-middleware →
Other CWE-93 (CRLF Injection) vulnerabilities
- CVE-2024-51501 — Critical (CVSS 10.0): Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit…
- CVE-2026-45372 — Critical (CVSS 9.9): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's…
- CVE-2026-11362 — Critical (CVSS 9.8): DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not…
- CVE-2025-40671 — Critical (CVSS 9.3): SQL injection vulnerability in AES Multimedia's Gestnet v1.07. This vulnerability allows an attacker to retrieve,…
- CVE-2026-11373 — Critical (CVSS 9.1): Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for…
- CVE-2026-50638 — Critical (CVSS 9.1): Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd…