Hello, I have tried everything to contact the maintainers, nobody answer to me, there is my last try.
-
There is populate headers into outgoing request from incoming:
https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/common.js#L43
-
if then add Trailer header with any value into the incoming request, that header will be handled by the internal nodejs http lib. For a GET-request, processing that header will trigger unhandled error ERR_HTTP_TRAILER_INVALID. https://github.com/nodejs/node/blob/38cc53845307fdb81dd50cfb7bcfc8c7b83b947c/lib/_http_outgoing.js#L538
-
An unhandled error will cause nodejs shutdown.
If any other project uses node-http-proxy package and just proxy any "user" request, all of them are vulneranilty to DoS attack
Hello, I have tried everything to contact the maintainers, nobody answer to me, there is my last try.
There is populate headers into outgoing request from incoming:
https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/common.js#L43
if then add
Trailerheader with any value into the incoming request, that header will be handled by the internal nodejs http lib. For a GET-request, processing that header will trigger unhandled errorERR_HTTP_TRAILER_INVALID. https://github.com/nodejs/node/blob/38cc53845307fdb81dd50cfb7bcfc8c7b83b947c/lib/_http_outgoing.js#L538An unhandled error will cause nodejs shutdown.
If any other project uses
node-http-proxypackage and just proxy any "user" request, all of them are vulneranilty to DoS attack