Skip to content

fix: harden proxy-table matching to prevent routing bypass#1268

Merged
chimurai merged 1 commit into
chimurai:2.xfrom
G-Rath:backport
Jun 19, 2026
Merged

fix: harden proxy-table matching to prevent routing bypass#1268
chimurai merged 1 commit into
chimurai:2.xfrom
G-Rath:backport

Conversation

@G-Rath

@G-Rath G-Rath commented Jun 18, 2026

Copy link
Copy Markdown

Description

Backports security fix for GHSA-64mm-vxmg-q3vj

fixes #1266

Motivation and Context

v2 is heavily used by dependencies such as webpack-dev-server so having a backport would be very helpful for the ecosystem

How has this been tested?

Using the reproduction and with the ported tests

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

Summary by CodeRabbit

  • Bug Fixes
    • Hardened router proxy-table matching to prevent routing bypass by enforcing exact host matching and prefix-based path matching instead of substring matching.
    • Added regression tests to ensure malformed host variants cannot incorrectly match routing rules.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The PR title accurately describes the main security hardening change to proxy-table matching logic to prevent routing bypass, which is the primary focus of the changeset.
Linked Issues check ✅ Passed The PR implements the security fix for GHSA-64mm-vxmg-q3vj by hardening proxy-table matching to prevent routing bypass as requested in issue #1266, with appropriate test coverage.
Out of Scope Changes check ✅ Passed All changes are directly related to the security fix scope: router logic hardening, test coverage, CHANGELOG documentation, and a minor spell-checker configuration update.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@G-Rath G-Rath marked this pull request as ready for review June 18, 2026 23:03
@G-Rath

G-Rath commented Jun 19, 2026

Copy link
Copy Markdown
Author

Annoying that CI is being flakey - in my fork CI passed with only one rerun being needed :/

@chimurai

chimurai commented Jun 19, 2026

Copy link
Copy Markdown
Owner

This is one of the reasons not to support v2 anymore 🫥

CI stability has been improved in v4 and doesn't rely on third-party for e2e tests...

@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 98.113% (+0.04%) from 98.072% — G-Rath:backport into chimurai:2.x

@chimurai chimurai merged commit d0f7d63 into chimurai:2.x Jun 19, 2026
63 of 153 checks passed
@chimurai chimurai linked an issue Jun 19, 2026 that may be closed by this pull request
@chimurai

chimurai commented Jun 19, 2026

Copy link
Copy Markdown
Owner

mbouaziz added a commit to SkipLabs/skip that referenced this pull request Jul 10, 2026
## Summary
Addresses Dependabot alert
[342](https://github.com/SkipLabs/skip/security/dependabot/342) —
[GHSA-64mm-vxmg-q3vj](GHSA-64mm-vxmg-q3vj)
/ CVE-2026-55602 (**medium**: `http-proxy-middleware` `router` host+path
substring matching allows a Host-header-driven backend routing bypass).

The advisory has three per-major ranges; the one that applies here is
`>= 0.16.0, < 2.0.10` → patched **2.0.10**. `www` had
`http-proxy-middleware@2.0.9`.

## Fix
Transitive dep of `webpack-dev-server` (`^2.0.9`), so a plain `npm
update http-proxy-middleware --package-lock-only` bumps it to **2.0.10**
within range — no override needed. Single-package, 3-line diff.

## Breaking-change check
2.0.10's only code change is [`fix: harden proxy-table matching to
prevent routing bypass`
(#1268)](chimurai/http-proxy-middleware#1268) —
the security fix itself — plus a CI publish chore. The public API is
unchanged; semver-patch.

## Verification
- Fresh `npm install` → single `http-proxy-middleware@2.0.10`; no copy
in any advisory range (`0.16.0–2.0.10`, `3.0.0–3.0.6`, `4.0.0–4.1.0`).
- Diff scoped to the one package.

Dev-only tooling — `webpack-dev-server`'s proxy during `docusaurus
start`; never runs in CI or reaches the shipped static site.

_(Referencing the Dependabot alert by URL rather than `#342` to avoid
GitHub's auto-close keyword colliding with an unrelated PR/issue
number.)_

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Backporting security fixes to v2

3 participants