Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjNXAtaDhwZi1tdndw
Machine-In-The-Middle in https-proxy-agent
Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.
Recommendation
Upgrade to version 3.0.0 or 2.2.3.
Permalink: https://github.com/advisories/GHSA-pc5p-h8pf-mvwpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjNXAtaDhwZi1tdndw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Identifiers: GHSA-pc5p-h8pf-mvwp
References:
- https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b
- https://hackerone.com/reports/541502
- https://www.npmjs.com/advisories/1184
- https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
- https://github.com/advisories/GHSA-pc5p-h8pf-mvwp
Blast Radius: 37.8
Affected Packages
npm:https-proxy-agent
Dependent packages: 3,619Dependent repositories: 1,575,850
Downloads: 253,128,407 last month
Affected Version Ranges: < 2.2.3
Fixed in: 2.2.3
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 1.0.0, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2
All unaffected versions: 2.2.3, 2.2.4, 3.0.0, 3.0.1, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6