Skip to content

(CVE-2026-55603) http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody LTS #33534

Description

@TomekStolarz

Command

build

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

CVE-2026-55603

Impact

When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend:
Validation / access-control bypass bypass gateway-side field checks (demonstrated below: a gateway that forbids role=admin is bypassed; backend grants admin).
Parameter tampering add or overwrite fields the backend trusts (IDs, flags, prices).
File-part injection inject a filename="..." part into the upstream multipart stream.

Upgrade http-proxy-middleware from 3.0.5 to 3.0.7 to fix the vulnerability.

Minimal Reproduction

N/A
Angular version 20.3.x

Exception or Error


Your Environment

Angular version 20.3.x

Anything else relevant?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: build & ciRelated the build and CI infrastructure of the projectgemini-triagedLabel noting that an issue has been triaged by geminiseverity6: security

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions