T

3

26

I am pretty sure that this error appeared only today and it never occurred before. When I create a new react app, the process found 1 high vulnerability:

High: Denial of Service

Package: http-proxy

Patched in: No patch available

Dependency of: react-scripts

Path: react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy

More info: https://npmjs.com/advisories/1486

(My version of "react-scripts" is 3.4.1). Of course, "npm audit fix" doesn't work.

What can I do about it? Is it something to care about or I can work normally?

Tallahassee answered 15/5, 2020 at 8:39 Comment(6)

There is a issue on github about this github.com/http-party/node-http-proxy/issues/1446. – Ferous 15/5, 2020 at 8:48

The advisory given in npmjs.com/advisories/1486 states that there is no fix available, yet. This is due to the fact that this vulnerability report has been added just today and needs to be evaluated further. – Arc 15/5, 2020 at 13:17

Should we stop running npm audit in the meantime? – Flaunch 15/5, 2020 at 15:13

Same problem happened to me today – Bonzer 15/5, 2020 at 18:4

A DoS vulnerability usually means there is a way to abuse the module to quickly take down your app without too much effort. If your http proxy is public-facing then this could be an issue. There is nothing you can do about until there’s a fix. – Aristaeus 15/5, 2020 at 19:55

Feel free to ignore the error in the meantime this is not a big problem to a server that is not exposed to the internet and the impact would just be your dev env crashing not production. – Sero 19/5, 2020 at 21:59

M

4

All versions of http-proxy are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Remediation

No fix is currently available. Consider using an alternative package until a fix is made available.

Conclusion

But for the time being, you can work normally. It should not cause any type of working anomaly as of now.

Malcolm answered 15/5, 2020 at 23:11 Comment(1)

It will break ci pipeline though – Arvie 18/5, 2020 at 10:47

A

3

Upgrade to http-proxy 1.18.1+ which contains a fix for the security issue detailed. NPM have now updated their security APIs to include the information that this issue is now resolved.

See https://github.com/http-party/node-http-proxy/issues/1446 for more info

Astonishment answered 18/5, 2020 at 12:1 Comment(0)

C

-1

first install the package

npm install http-proxy --save-dev

in your package.json file add the following statements

"resolutions" :{ "http-proxy": "^1.18.1" }

"scripts" :{ "preinstall": "npx npm-force-resolutions" }

then run the command in the command prompt-

npm install

this might fixed your vulnerability

Corrida answered 26/5, 2020 at 20:4 Comment(0)

Remediation

Conclusion

Recommended topics

Hot tags