Bug 2491525 (CVE-2026-55603)

Summary: CVE-2026-55603 http-proxy-middleware: http-proxy-middleware: Data integrity compromise via CR/LF injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, alizardo, anpicker, ataylor, bbrownin, bdettelb, bparees, brasmith, cdrage, cmah, cochase, dbosanac, dbruscin, dkeler, dkuc, doconnor, dranck, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehugonne, erezende, fdeutsch, fmariani, ggrzybek, gmalinko, gparvin, hasun, ibolton, janstey, jchui, jfula, jhe, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jraez, jreimann, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lphiri, mcarlett, mdessi, mrizzi, nboldt, ngough, nyancey, oaljalju, omaciel, ometelka, orabin, oramraz, pahickey, parichar, pcattana, pdelbell, pgaikwad, pjindal, psrna, ptisnovs, rhaigner, rhel-process-autobot, rjohnson, rstepani, rushinde, sfeifer, simaishi, slucidi, smullick, sseago, stcannon, stirabos, suppawar, syedriko, tasato, tcunning, teagle, thason, ttakamiy, veshanka, watson-tool-maintainers, xdharmai, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in http-proxy-middleware. A remote attacker could exploit a vulnerability in the fixRequestBody() function, which is used to re-emit a request body. By injecting carriage return and line feed characters (\r\n) into a request body key or value, an attacker can bypass security policies and validation performed by the proxy. This desynchronization between the proxy and the backend server can lead to a compromise of data integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 21:02:12 UTC
http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF. A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. This vulnerability is fixed in 3.0.7 and 4.1.1.