26

I am pretty sure that this error appeared only today and it never occurred before. When I create a new react app, the process found 1 high vulnerability:

High: Denial of Service

Package: http-proxy

Patched in: No patch available

Dependency of: react-scripts

Path: react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy

More info: https://npmjs.com/advisories/1486

(My version of "react-scripts" is 3.4.1). Of course, "npm audit fix" doesn't work.

What can I do about it? Is it something to care about or I can work normally?

Özgür Can Karagöz
  • 1,039
  • 1
  • 13
  • 32
Fabio
  • 297
  • 3
  • 6
  • 1
    There is a issue on github about this https://github.com/http-party/node-http-proxy/issues/1446. – nacholibre May 15 '20 at 08:48
  • The advisory given in https://npmjs.com/advisories/1486 states that there is no fix available, yet. This is due to the fact that this vulnerability report has been added just today and needs to be evaluated further. – nymvno May 15 '20 at 13:17
  • Should we stop running npm audit in the meantime? – Rene Enriquez May 15 '20 at 15:13
  • Same problem happened to me today – Leccho May 15 '20 at 18:04
  • 1
    A DoS vulnerability usually means there is a way to abuse the module to quickly take down your app without too much effort. If your http proxy is public-facing then this could be an issue. There is nothing you can do about until there’s a fix. – gerwin May 15 '20 at 19:55
  • Feel free to ignore the error in the meantime this is not a big problem to a server that is not exposed to the internet and the impact would just be your dev env crashing not production. – Benjamin Gruenbaum May 19 '20 at 21:59

3 Answers3

4

All versions of http-proxy are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Remediation

No fix is currently available. Consider using an alternative package until a fix is made available.

Conclusion

But for the time being, you can work normally. It should not cause any type of working anomaly as of now.

Rishabh Sharma
  • 169
  • 1
  • 3
3

Upgrade to http-proxy 1.18.1+ which contains a fix for the security issue detailed. NPM have now updated their security APIs to include the information that this issue is now resolved.

See https://github.com/http-party/node-http-proxy/issues/1446 for more info

alastairtree
  • 3,960
  • 32
  • 49
-1

first install the package

npm install http-proxy --save-dev

in your package.json file add the following statements

"resolutions" :{ "http-proxy": "^1.18.1" }

"scripts" :{ "preinstall": "npx npm-force-resolutions" }

then run the command in the command prompt-

npm install

this might fixed your vulnerability

Dimpy Aggarwal
  • 21
  • 9