org.webjars.npm:https-proxy-agent 2.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:https-proxy-agent package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Man-in-the-Middle (MitM) org.webjars.npm:https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client. PoC by Kris Adler `var url = require('url'); var https = require('https'); var HttpsProxyAgent = require('https-proxy-agent'); var proxyOpts = url.parse('http://127.0.0.1:80'); var opts = url.parse('https://www.google.com'); var agent = new HttpsProxyAgent(proxyOpts); opts.agent = agent; opts.auth = 'username:password'; https.get(opts);` How to fix Man-in-the-Middle (MitM)? Upgrade `org.webjars.npm:https-proxy-agent` to version 2.2.3 or higher.	[,2.2.3)

Vulnerability

Vulnerable Version

Man-in-the-Middle (MitM)

org.webjars.npm:https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

PoC by Kris Adler

var url = require('url');
var https = require('https');
var HttpsProxyAgent = require('https-proxy-agent');

var proxyOpts = url.parse('http://127.0.0.1:80');
var opts = url.parse('https://www.google.com');
var agent = new HttpsProxyAgent(proxyOpts);
opts.agent = agent;
opts.auth = 'username:password';
https.get(opts);

How to fix Man-in-the-Middle (MitM)?

Upgrade org.webjars.npm:https-proxy-agent to version 2.2.3 or higher.

[,2.2.3)

org.webjars.npm:https-proxy-agent@2.2.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

PoC by Kris Adler