JFrog Security Research
< Back

XRAY-520917 - npm proxy undefined variable remote DoS

CVE-2023-2968 | CVSS 7.5

JFrog Severity:high

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 30 May, 2023 | Last updated 30 May, 2023

Undefined variable usage in npm package "proxy" leads to remote denial of service


[2.0.0, 2.1.1), Fixed in 2.1.1

A remote attacker can trigger a denial of service by sending a crafted HTTP request, causing the socket.remoteAddress variable to be undefined. Usage of the undefined variable raises a TypeError exception.

The following simple program is vulnerable to this issue -

import * as http from 'http';
import { createProxy } from 'proxy';

const server = createProxy(http.createServer());
server.listen(31285, () => {
    var port = server.address().port;
    console.log('HTTP(s) proxy server listening on port %d',

An attacker can crash the program by sending a valid HTTP GET request followed by invalid tail data

No mitigations are supplied for this issue

No references are supplied for this issue

< Back