Login Sign Up

CVE-2024-21536

7.5 HIGH
Denial of Service

📋 TL;DR

A Denial of Service vulnerability in http-proxy-middleware allows attackers to crash Node.js servers by sending requests to specific paths. This affects all applications using vulnerable versions of the middleware package. The vulnerability stems from an unhandled promise rejection in the micromatch dependency.

💻 Affected Systems

Products:
  • http-proxy-middleware
Versions: Versions before 2.0.7, from 3.0.0 to before 3.0.3
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations using vulnerable versions are affected regardless of proxy settings.

📦 What is this software?

Http Proxy Middleware by Chimurai

View all CVEs affecting Http Proxy Middleware →

Http Proxy Middleware by Chimurai

View all CVEs affecting Http Proxy Middleware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server crash leading to service unavailability for all users until manual restart.

🟠

Likely Case

Targeted DoS attacks causing intermittent service disruptions and increased operational overhead.

🟢

If Mitigated

Minimal impact with proper monitoring and automatic restart mechanisms in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests to specific paths that trigger the micromatch error.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.7 or 3.0.3

Vendor Advisory: https://github.com/chimurai/http-proxy-middleware/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to use http-proxy-middleware version 2.0.7 or 3.0.3. 2. Run 'npm update http-proxy-middleware' or 'yarn upgrade http-proxy-middleware'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Implement global unhandled promise rejection handler

all

Add process-level error handling to prevent Node.js process crashes

process.on('unhandledRejection', (reason, promise) => { console.error('Unhandled Rejection at:', promise, 'reason:', reason); });

🧯 If You Can't Patch

  • Implement rate limiting to restrict request frequency to vulnerable endpoints
  • Deploy reverse proxy with request filtering to block malicious path patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for http-proxy-middleware version. Vulnerable if version <2.0.7 or between 3.0.0-3.0.2.

Check Version:

npm list http-proxy-middleware

Verify Fix Applied:

Verify installed version is 2.0.7 or 3.0.3+ and test with known exploit paths.

📡 Detection & Monitoring

Log Indicators:

  • Unhandled promise rejection errors
  • Node.js process crashes
  • Increased error rates in application logs

Network Indicators:

  • Repeated requests to unusual paths
  • Spike in 500 errors from proxy endpoints

SIEM Query:

source="application.logs" AND ("unhandledRejection" OR "micromatch" OR "http-proxy-middleware crash")

📊 Metadata

CVE ID: CVE-2024-21536
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: October 19, 2024
Last Updated: November 1, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21536, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)