CVE-2025-32996 in http-proxy-middlewareinfo

Summary

by MITRE • 04/15/2025

In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/22/2025

The vulnerability identified as CVE-2025-32996 affects the http-proxy-middleware library, a widely used Node.js middleware for proxying HTTP requests. This issue exists in versions prior to 2.0.8 and 3.x prior to 3.0.4, representing a critical flaw in the library's request handling logic. The vulnerability stems from a programming error in how the library processes request bodies during proxy operations, specifically within the writeBody function execution flow.

The technical flaw manifests as a logical error in conditional statement implementation where the developer used chained if statements instead of else if constructs. This design decision allows the writeBody function to be invoked multiple times during a single request processing cycle when certain conditions are met. The improper conditional logic creates a scenario where the same request body processing operation can execute twice, leading to unexpected behavior in the proxy middleware's operation. This flaw represents a classic software development error that can be categorized under CWE-483, which deals with improper control flow implementation, and more specifically aligns with CWE-484, which addresses missing break statements in switch constructs or improper conditional logic.

The operational impact of this vulnerability extends beyond simple duplicate execution of code. When writeBody is called twice, it can result in corrupted request data, duplicated headers, or malformed responses that could be exploited by attackers to manipulate proxy behavior. The vulnerability could potentially allow for request smuggling attacks, where duplicate processing might create inconsistencies in how requests are forwarded to backend servers. Additionally, the double execution could cause performance degradation, resource exhaustion, or create opportunities for injection attacks where malicious input could be processed twice with different outcomes. This issue directly maps to techniques described in the ATT&CK framework under T1590 for reconnaissance and T1071 for application layer protocol usage, as attackers could leverage this behavior to better understand the proxy's operation and potentially exploit other related vulnerabilities.

Mitigation strategies for CVE-2025-32996 involve immediate upgrading to versions 2.0.8 or 3.0.4 and later, which contain the necessary fix for the conditional logic error. Organizations should conduct thorough testing of their proxy configurations after applying the update to ensure no regressions in functionality. Security teams should also monitor for any unusual proxy behavior or performance degradation that might indicate exploitation attempts. The fix implemented in the updated versions ensures proper conditional flow control by using appropriate else if constructs, preventing the duplicate invocation of the writeBody function. Additionally, implementing proper input validation and request monitoring can help detect anomalous behavior that might indicate exploitation attempts, while maintaining comprehensive logging of proxy operations can aid in forensic analysis if incidents occur.

Responsible

MITRE

Reservation

04/15/2025

Disclosure

04/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00408

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!