Denial of Service - http proxy - React

Question

I am pretty sure that this error appeared only today and it never occurred before. When I create a new react app, the process found 1 high vulnerability:

High: Denial of Service

Package: http-proxy

Patched in: No patch available

Dependency of: react-scripts

Path: react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy

More info: https://npmjs.com/advisories/1486

(My version of "react-scripts" is 3.4.1). Of course, "npm audit fix" doesn't work.

What can I do about it? Is it something to care about or I can work normally?

Answer 1

All versions of http-proxy are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Remediation

No fix is currently available. Consider using an alternative package until a fix is made available.

Conclusion

But for the time being, you can work normally. It should not cause any type of working anomaly as of now.

Answer 2

Upgrade to http-proxy 1.18.1+ which contains a fix for the security issue detailed. NPM have now updated their security APIs to include the information that this issue is now resolved.

See https://github.com/http-party/node-http-proxy/issues/1446 for more info