CVE-2025-32996: Medium severity http-proxy-middleware vulnerability
Published Apr 15, 2025
·Updated
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
Affected Software
7 affected componentsFixes available
http-proxy-middleware http-proxy-middleware<2.0.8
http-proxy-middleware http-proxy-middleware<3.0.4
npm/http-proxy-middleware>=1.3.0<2.0.8
2.0.8
npm/http-proxy-middleware>=3.0.0<3.0.4
3.0.4
IBM Edge Application Manager<=4.5
Chimurai Http-proxy-middleware<2.0.8
Chimurai Http-proxy-middleware>=3.0.0<3.0.4
Remediation
Event History
Apr 15, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 AM
RemedyAffected Software
Advisory Published
via GitHub·03:30 AM
Aug 20, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-32996?
CVE-2025-32996 has a medium severity rating due to potential improper handling of write operations.
2
How do I fix CVE-2025-32996?
To fix CVE-2025-32996, upgrade http-proxy-middleware to version 2.0.8 or later, or 3.0.4 or later.
3
What versions of http-proxy-middleware are affected by CVE-2025-32996?
CVE-2025-32996 affects versions of http-proxy-middleware before 2.0.8 and 3.x before 3.0.4.
4
What is the cause of the vulnerability in CVE-2025-32996?
The vulnerability in CVE-2025-32996 arises because writeBody can be called twice due to a lack of proper conditional checks.
5
Is CVE-2025-32996 part of any security compliance frameworks?
CVE-2025-32996 may impact compliance frameworks that require secure software practices, depending on the software development policies in place.