{"id":"CVE-2026-55602","summary":"http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass","details":"http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. This vulnerability is fixed in 2.0.10, 3.0.6, and 4.1.0.","aliases":["GHSA-64mm-vxmg-q3vj"],"modified":"2026-07-08T08:14:00.537166316Z","published":"2026-06-22T15:58:08.699Z","related":["CGA-6fhh-qhc9-7m53"],"database_specific":{"cwe_ids":["CWE-187","CWE-20"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55602.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55602.json"},{"type":"ADVISORY","url":"https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55602"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/chimurai/http-proxy-middleware","events":[{"introduced":"09926cdd29573e2966993a743d8b68e415f9c6b5"},{"fixed":"f0be839066ba14f2598c6c1aef10ff54b020babb"},{"introduced":"84bfa46fc7174f46b9f24c1e7a7a1a977f0993f3"},{"fixed":"ea0bb98867bda354b759e92ce1933ab43cbbbcf8"},{"introduced":"8f356bcb5fce079460564f729da55814363361a6"},{"fixed":"013dd9bbdf3436fe9c17a2c24a0d04a0fcb6de19"}],"database_specific":{"cpe":"cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.16.0"},{"fixed":"2.0.10"},{"introduced":"3.0.0"},{"fixed":"3.0.6"},{"introduced":"4.0.0"},{"fixed":"4.1.0"}],"source":"CPE_RANGE"}}],"versions":["v2.0.10-beta.0","v2.0.9","v4.1.0-beta.2","v4.1.0-beta.1","v4.1.0-beta.0","v4.0.0","v3.0.5","v2.0.8","v3.0.4","v2.0.7","v3.0.3","v3.0.2","v2.0.7-beta.1","v2.0.7-beta.0","v2.0.6","v3.0.1","v3.0.1-beta.1","v3.0.1-beta.0","v3.0.0","v2.0.4","v2.0.5","v2.0.3","v2.0.2","v2.0.1","v2.0.0","v1.3.1","v1.3.0","v1.2.1","v1.2.0","v1.1.2","v1.1.1","v1.1.0","v1.0.6","v1.0.5","v1.0.4","v0.19.1","v1.0.3","v1.0.2","v1.0.1","v1.0.0","v0.21.0","v0.20.0","v0.20.0-beta.0","v0.19.0","v0.18.0","v0.17.4","v0.17.3","v0.17.2","v0.17.1","v0.17.0","v0.16.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55602.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}