Undefined variable usage in npm package "proxy" leads to remote denial of service
proxy
[2.0.0, 2.1.1), Fixed in 2.1.1
A remote attacker can trigger a denial of service by sending a crafted HTTP request, causing the socket.remoteAddress variable to be undefined. Usage of the undefined variable raises a TypeError exception.
The following simple program is vulnerable to this issue -
import * as http from 'http';
import { createProxy } from 'proxy';
const server = createProxy(http.createServer());
server.listen(31285, () => {
var port = server.address().port;
console.log('HTTP(s) proxy server listening on port %d',
port);
});
An attacker can crash the program by sending a valid HTTP GET request followed by invalid tail data
No mitigations are supplied for this issue
No references are supplied for this issue