You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"summary": "proxy denial of service vulnerability",
10
-
"details": "A remote attacker can trigger a denial of service in the `socket.remoteAddress` variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.\n\n",
11
-
"severity": [],
12
-
"affected": [
13
-
{
14
-
"package": {
15
-
"ecosystem": "npm",
16
-
"name": "proxy"
17
-
},
18
-
"ranges": [
2
+
"schema_version": "1.4.0",
3
+
"id": "GHSA-mj6p-3pc9-wf5m",
4
+
"modified": "2026-05-06T00:00:00Z",
5
+
"published": "2023-05-30T18:30:23Z",
6
+
"aliases": [
7
+
"CVE-2023-2968"
8
+
],
9
+
"summary": "proxy denial of service vulnerability",
10
+
"details": "A remote attacker can trigger a denial of service in the `proxy` package by sending a crafted HTTP request that causes `socket.remoteAddress` to be `undefined`. When this undefined value is consumed without a null check, a `TypeError` exception is raised, crashing the proxy server process.\n\nThe vulnerable code path in versions >= 2.0.0, < 2.1.1 reads `socket.remoteAddress` directly without guarding against the case where the socket has already been destroyed or the remote address is unavailable. An attacker with the ability to send a specially crafted HTTP request can exploit this to take down the proxy server.\n\nThe issue was fixed in version 2.1.1 by adding a guard that checks `socket.remoteAddress` before use.",
0 commit comments