Details

In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.

Severity

• CVSS Score: 4.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-32996
• https://github.com/chimurai/http-proxy-middleware/pull/1089
• https://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145
• https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8
• https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4
• https://github.com/advisories/GHSA-4www-5p9h-95mh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.

Severity

• CVSS Score: 4.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-32997
• https://github.com/chimurai/http-proxy-middleware/pull/1096
• https://github.com/chimurai/http-proxy-middleware/commit/1bdccbeec243850f1d2bb50ea0ff2151e725d67e
• https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9
• https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5
• https://github.com/advisories/GHSA-9gqv-wp59-fq42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #​17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #​17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #​17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #​17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #​17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #​17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

v7.28.6

Compare Source

v16.3.2

Compare Source

v1.20.4

Compare Source

===================

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

v2.1.1

Compare Source

==========

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

v17.4.2

Compare Source

v17.4.1

Compare Source

v17.4.0

Compare Source

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

v4.22.1

Compare Source

v4.22.0

Compare Source

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in #​6065
• deps: path-to-regexp@​0.1.11 by @​blakeembrey in #​5956
• deps: bump path-to-regexp@​0.1.12 by @​jonchurch in #​6209
• Release: 4.21.2 by @​UlisesGascon in #​6094

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: expressjs/express@4.20.0...4.21.0

v2.0.9

Compare Source

v2.0.8

Compare Source

v4.18.1

Compare Source

v4.18.0

Compare Source

v4.17.23

Compare Source

v22.22.2

Compare Source

v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)

Compare Source

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #​60162
• [623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #​60205
• [7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #​60991
• [db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #​58938
• [66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #​60503
• [c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #​60399
• [f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #​60369
• [5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #​61414
• [24724cde40] - build: fix misplaced comma in ldflags (hqzing) #​61294
• [c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #​61329
• [8659d7cd07] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #​60511
• [44f339b315] - build: remove temporal updater (Chengzhong Wu) #​61151
• [d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #​61024
• [34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #​61073
• [7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #​60850
• [9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #​59984
• [2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #​60098
• [73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #​60296
• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #​59999
• [c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #​61321
• [40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #​61431
• [6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #​61344
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #​60141
• [40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #​60422
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #​60464
• [0781bd3764] - deps: V8: backport 6a0a25a (Vivian Wang) #​61688
• [0cf1f9c3e9] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #​61339
• [58b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #​61270
• [376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #​61056
• [b72fd2a5d3] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #​60899
• [37abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #​60898
• [97241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #​60614
• [3669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #​60740
• [9a056ec89c] - deps: update googletest to 1b96fa1 (Node.js GitHub Bot) #​60739
• [b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #​60543
• [5bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #​60646
• [801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #​60644
• [03c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #​60542
• [2ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #​60541
• [d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #​59883
• [9480a139bf] - deps: update googletest to 279f847 (Node.js GitHub Bot) #​60219
• [635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [5b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #​61510
• [eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #​60842
• [490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #​60643
• [66903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #​60550
• [a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #​60314
• [c8044a48a6] - deps: V8: backport 2e4c5cf (Michaël Zasso) #​60654
• [642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #​61451
• [625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #​61495
• [029e32f8ba] - doc: added requestOCSP option to tls.connect (ikeyan) #​61064
• [68e33dfa89] - doc: restore @​ChALkeR to collaborators (Сковорода Никита Андреевич) #​61553
• [e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #​61588
• [ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #​60253
• [c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #​61465
• [4b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #​61454
• [4b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #​61366
• [d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #​61434
• [2323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #​61355
• [6c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #​61373
• [ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #​61382
• [cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #​61389
• [42db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #​61383
• [4c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #​61343
• [684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #​61328
• [c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #​61066
• [aa9acad5ca] - doc: restore @​watilde to collaborators (Daijiro Wachi) #​61350
• [9cafec084e] - doc: run license-builder (github-actions[bot]) #​61348
• [cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #​61331
• [461c5e65c5] - doc: update MDN links (Livia Medeiros) #​61062
• [dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #​53641
• [59a7aeec92] - doc: fix filename typo (Hardanish Singh) #​61297
• [9a0a40d1ed] - doc: fix typos and grammar in BUILDING.md & onboarding.md (Hardanish Singh) #​61267
• [dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #​61255
• [c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #​61260
• [066af38fe1] - doc: add PR-URL requirement for security backports (Rafael Gonzaga) #​61256
• [71dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #​61250
• [f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #​61207
• [9059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #​61079
• [e7b34b76b0] - doc: missing passed, error and passed properties on TestContext (Xavier Stouder) #​61185
• [9ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #​61184
• [9902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #​61179
• [a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #​61170
• [38d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #​59007
• [95c51fa984] - doc: correct invalid collaborator profile (JJ) #​61091
• [f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #​61109
• [b6ebf2cd53] - doc: add @​avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [4932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #​60286
• [c84904e047] - doc: add missing zstd to mjs example of zlib (Deokjin Kim) #​60915
• [e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #​60887
• [99e384e6d4] - doc: replace column with columnNumber in example of util.getCallSites (Deokjin Kim) #​60881
• [9351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #​60875
• [e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #​60867
• [ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #​60855
• [1cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #​60849
• [ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #​60762
• [56155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #​60410
• [6b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #​60773
• [7183e8ffa1] - doc: clarify that CQ only picks up PRs targeting main (René) #​60731
• [d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #​60590
• [e0210c8f53] - doc: correct tls ALPNProtocols types (René) #​60143
• [eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #​60707
• [e77ef94a51] - doc: domain.add() does not accept timer objects (René) #​60675
• [4fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #​60650
• [eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #​60636
• [6e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #​60305
• [ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #​60017
• [d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #​59815
• [f6d62cb22c] - doc: fix typo in process.unref documentation (우혁) #​59698
• [6d5078b196] - doc: add some entries to glossary.md (Mohataseem Khan) #​59277
• [b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #​58205
• [b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #​57677
• [e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #​55478
• [44c06c7812] - doc: add missing word in single-executable-applications.md (Konstantin Tsabolov) #​53864
• [482b43f160] - doc: fix typo in http.md (Michael Solomon) #​59354
• [cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #​60472
• [c7c70f3a16] - doc: add haramj as triager (Haram Jeong) #​60348
• [04b8c4d14e] - doc: clarify require(esm) description (dynst) #​60520
• [de382dc832] - doc: instantiate resolver object (Donghoon Nam) #​60476
• [b6845ce460] - doc: clarify --use-system-ca support status (Joyee Cheung) #​60340
• [0894dae9bc] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #​58899
• [c86a69f692] - doc: use any for worker_threads.Worker 'error' event argument err (Jonas Geiler) #​60300
• [0c5031e233] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #​60288
• [b01f710175] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #​60265
• [b4524dabcc] - doc: fix blob.bytes() heading level (XTY) #​60252
• [5df02776e3] - doc: fix not working code example in vm docs (Artur Gawlik) #​60224
• [6a4359a0b5] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #​60209
• [ad06bee70d] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #​60179
• [c0d4b11ed4] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #​60065
• [20b5ffcac3] - doc: update previous version links in BUILDING (Mike McCready) #​61457
• [de345ea3a3] - doc: correct description of error.stack accessor behavior (René) #​61090
• [d8418d9de7] - doc: fix link in --env-file=file section (N. Bighetti) #​60563
• [1107bda21e] - doc: fix v22 changelog after security release (Marco Ippolito) #​61371
• [42aab9469a] - doc: add missing history entry for sqlite.md (Antoine du Hamel) #​60607
• [deb6d5deff] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #​60302
• [c659add7d1] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #​60708
• [dda95e91b9] - esm: avoid throw when module specifier is not url (Craig Macomber (Microsoft)) #​61000
• [912945be89] - events: remove redundant todo (Gürgün Dayıoğlu) #​60595
• [22e156eb10] - events: remove eventtarget custom inspect branding (Efe) #​61128
• [df6fd9b03f] - fs: remove duplicate getValidatedPath calls (Mert Can Altin) #​61359
• [6ea3e4d850] - fs: fix errorOnExist behavior for directory copy in fs.cp (Nicholas Paun) #​60946
• [dd918b9980] - fs: fix ENOTDIR in globSync when file is treated as dir (sangwook) #​61259
• [4908e67ba0] - fs: remove duplicate fd validation in sync functions (Mert Can Altin) #​61361
• [4a27bce3d9] - fs: detect dot files when using globstar (Robin van Wijngaarden) #​61012
• [b0186ff65c] - fs: validate statfs path (Efe) [#​61230](https://redire