http-proxy-middleware Always-Incorrect Control Flow Implementation #1919
Description
Describe the Bug
Summary
Medium Severity Vulnerability in http-proxy-middleware via @angular-builders/custom-webpack@19.0.1
Objective
Address a vulnerability in http-proxy-middleware by ensuring the dependency chain is updated to a secure version and verifying correct control flow during request body processing.
Background/Context
A vulnerability has been discovered in http-proxy-middleware affecting versions prior to 2.0.8 and 3.0.4. The issue stems from an Always-Incorrect Control Flow Implementation in the fixRequestBody() function. This flaw allows the writeBody function to be called multiple times, which can lead to unexpected behavior during proxy request handling.
Dependencies:
@angular-builders/custom-webpack@19.0.1
Vulnerable transitive dependencies on http-proxy-middleware@3.0.3 and 2.0.7
Minimal Reproduction
Note: We can only reproduce it when we scan the project using Snyk CLI.
Expected Behavior
There should be no vulnerabilities in Snyk dashboard related to this.
Screenshots
Libs
- @angular/core version: "@angular/core": "^19.0.0",
- @angular-devkit/build-angular version: "@angular-devkit/build-angular": "^19.0.0",
- @angular-builders/{the name of the builder} version: "@angular-builders/custom-webpack": "^19.0.0",
For Tooling issues:
- Node version: v20.19.0
- Platform: