Security Flaw in Node.js Http-Proxy Middleware Affecting Multiple Versions
CVE-2026-55603

7.5HIGH

Key Information:

Vendor: Chimurai
Status: Http-proxy-middleware
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-55603?

The http-proxy-middleware library, used in Node.js applications, contains a vulnerability in specific versions that allows attackers to manipulate multipart/form-data requests. By introducing carriage return and line feed (CR/LF) characters within request body keys or values, an attacker can close the current part and seamlessly inject a new form part. This exploitation can lead to a misalignment between the body content processed by the proxy and the subsequent backend systems, resulting in evaluation against different parameters and bypassing validation checks. Versions 3.0.7 and 4.1.1 have mitigations in place to address this issue.

Affected Version(s)

http-proxy-middleware >= 3.0.4, < 3.0.7 < 3.0.4, 3.0.7

http-proxy-middleware >= 4.0.0, < 4.1.1 < 4.0.0, 4.1.1

References

https://github.com/chimurai/http-proxy-middleware/securit...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55603 Data

JSON

Chimurai

What is CVE-2026-55603?

Affected Version(s)

References

CVSS V3.1

Timeline