https-proxy-agent@0.3.1 vulnerabilities

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Direct Vulnerabilities

Known vulnerabilities in the https-proxy-agent package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Man-in-the-Middle (MitM)

https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

PoC by Kris Adler

var url = require('url');
var https = require('https');
var HttpsProxyAgent = require('https-proxy-agent');

var proxyOpts = url.parse('http://127.0.0.1:80');
var opts = url.parse('https://www.google.com');
var agent = new HttpsProxyAgent(proxyOpts);
opts.agent = agent;
opts.auth = 'username:password';
https.get(opts);

How to fix Man-in-the-Middle (MitM)?

Upgrade https-proxy-agent to version 2.2.3 or higher.

<2.2.3
  • H
Uninitialized Memory Exposure

https-proxy-agent provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure and Denial of Service (DoS) attacks due to passing unsanitized options to Buffer(arg).

Note: CVE-2018-3739 is a duplicate of CVE-2018-3736.

How to fix Uninitialized Memory Exposure?

Upgrade https-proxy-agent to version 2.2.0 or higher. Note This is vulnerable only for Node <=4

<2.2.0