CVE-2025-32997 in http-proxy-middleware
Summary
by MITRE • 04/15/2025
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/22/2025
The vulnerability identified as CVE-2025-32997 affects the http-proxy-middleware library versions prior to 2.0.9 and 3.x prior to 3.0.5, representing a critical security flaw in API gateway and proxy middleware implementations. This issue manifests when the middleware processes HTTP requests through a proxy configuration while failing to properly validate the request body parsing status before proceeding with subsequent operations. The root cause lies in the library's failure to implement proper error handling for the body parsing component, allowing execution to continue even when the underlying bodyParser encounters an error during request processing. This behavior creates a dangerous condition where malformed or improperly formatted request bodies can be processed by downstream components without proper validation, potentially leading to injection attacks or data corruption scenarios.
The technical implementation flaw stems from a lack of proper error propagation within the middleware's request handling pipeline. When the bodyParser component fails to parse the incoming request body due to malformed content, invalid encoding, or other parsing errors, the fixRequestBody function continues execution instead of aborting the operation or returning an appropriate error response. This design decision violates fundamental security principles and creates a pathway for attackers to bypass input validation mechanisms that should normally prevent malformed data from reaching application logic. The vulnerability operates at the application layer and can be classified under CWE-252, which represents an "Unchecked Return Value" where the return value of a function call is not checked for errors, leading to continued execution in an error state.
The operational impact of this vulnerability extends across various attack vectors and system configurations where http-proxy-middleware is deployed as part of API gateway solutions, reverse proxy implementations, or microservices architectures. Attackers can exploit this weakness by crafting malicious HTTP requests with malformed body content that would normally be rejected by proper input validation but instead proceed through the proxy middleware unimpeded. This vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: PowerShell and similar execution methods where improperly validated inputs can be used to inject malicious payloads into downstream systems. The vulnerability is particularly dangerous in environments where the proxy middleware serves as a security boundary or acts as a gateway for sensitive data processing, as it allows attackers to potentially bypass security controls that depend on proper request body validation.
Mitigation strategies for CVE-2025-32997 require immediate patching of affected http-proxy-middleware versions to 2.0.9 or 3.0.5 respectively, ensuring that all systems utilizing this middleware component receive the necessary security updates. Organizations should also implement additional defensive measures including input validation at multiple layers, monitoring for unusual request patterns, and implementing proper error handling mechanisms that prevent execution flow continuation after parsing failures. Network segmentation and API gateway security controls should be reviewed to ensure that even if this specific vulnerability is exploited, the attack surface remains limited. The fix implemented in the patched versions addresses the core issue by ensuring that requestBody processing halts when bodyParser encounters failures, preventing erroneous data from propagating through the system and maintaining the integrity of the proxy middleware's security posture.