EXECUTIVE SUMMARY:
CVE-2026-55603 with a CVSS score of 7.5 is a multipart/form-data field injection vulnerability in the npm/http-proxy-middleware package. The flaw exists in the library’s fixRequestBody helper, which rebuilds outgoing multipart requests by inserting user-supplied form field names and values into the multipart message format without properly neutralizing carriage-return and line-feed characters. An attacker can craft a malicious request containing embedded CRLF sequences to terminate an existing form part and create unauthorized additional form fields. In environments where a proxy parses requests with a non-multipart parser and later forwards them as multipart/form-data while invoking fixRequestBody, attackers can inject arbitrary parameters—such as elevated privilege fields—that bypass gateway validation but are accepted by the backend application. Successful exploitation may enable access-control bypass, trusted parameter manipulation, malicious file-part insertion, privilege escalation, data integrity compromise, and potential financial or regulatory impact. Exploitation requires network access to the vulnerable proxy and control over at least one request field value.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55603 with a CVSS score of 7.5 is a multipart/form-data field injection vulnerability in the npm/http-proxy-middleware package. The flaw exists in the library’s fixRequestBody helper, which rebuilds outgoing multipart requests by inserting user-supplied form field names and values into the multipart message format without properly neutralizing carriage-return and line-feed characters. An attacker can craft a malicious request containing embedded CRLF sequences to terminate an existing form part and create unauthorized additional form fields. In environments where a proxy parses requests with a non-multipart parser and later forwards them as multipart/form-data while invoking fixRequestBody, attackers can inject arbitrary parameters—such as elevated privilege fields—that bypass gateway validation but are accepted by the backend application. Successful exploitation may enable access-control bypass, trusted parameter manipulation, malicious file-part insertion, privilege escalation, data integrity compromise, and potential financial or regulatory impact. Exploitation requires network access to the vulnerable proxy and control over at least one request field value.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-gcq2-9pq2-cxqm