Http-proxy version 0.10.4 represents a refinement of the 0.10.3 release, both serving as full-featured HTTP reverse proxies for Node.js applications. A key distinction lies in the updated dependencies. Version 0.10.4 upgrades utile from ~0.1.7 to ~0.2.1, pkginfo from 0.2.x to 0.3.x, and optimist from 0.3.x to 0.6.x. These dependency updates likely incorporate bug fixes, performance improvements, and potentially new features offered by those respective libraries. Developers should consider these changes in the context of their existing projects as it can impact compatibility. While the core functionality remains consistent, developers might benefit from the updated versions of utile, pkginfo, and optimist, particularly if they were experiencing issues or seeking enhancements related to those libraries. The development dependencies, including testing and WebSocket support are consistent across both versions. Both versions were released by Nodejitsu Inc. and are available on GitHub under the same repository URL. Choosing between the two hinges on the project's dependency constraints and whether the improvements in the updated dependencies justify the risk of potential compatibility issues. Developers are encouraged to carefully evaluate the changelogs of utile, pkginfo and optimist for a comprehensive understanding of the updates integrated within http-proxy 0.10.4.
All the vulnerabilities related to the version 0.10.4 of the package
Denial of Service in http-proxy
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"
Upgrade to version 1.18.1 or later
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
