[GHSA-64mm-vxmg-q3vj] http-proxy-middleware router host+path substring matching allows Host-header-driven backend routing bypass#8072
Conversation
|
Hi there @chimurai! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
G-Rath/advisory-improvement-8072
There was a problem hiding this comment.
Pull request overview
Updates the GHSA-64mm-vxmg-q3vj advisory record to refine which http-proxy-middleware versions are affected, reflecting separate fixed versions across major release lines (including the newly backported v2 fix mentioned in the PR description).
Changes:
- Adjusts the v3 affected range to start at
3.0.0(previously0.16.0) and keeps the v3 fix at3.0.6. - Adds an additional affected range covering the v2 line (
0.16.0→ fixed in2.0.10). - Updates the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "0.16.0" | ||
| "introduced": "3.0.0" | ||
| }, | ||
| { | ||
| "fixed": "3.0.6" |
|
LGTM. Thanks for updating the affected versions @G-Rath Ref: GHSA-64mm-vxmg-q3vj |
Updates
Comments
I backported the fix to v2: chimurai/http-proxy-middleware#1268