{ "threat_severity" : "Moderate", "public_date" : "2025-04-15T00:00:00Z", "bugzilla" : { "description" : "http-proxy-middleware: Always-Incorrect Control Flow Implementation in http-proxy-middleware", "id" : "2359627", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2359627" }, "cvss3" : { "cvss3_base_score" : "4.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-670", "details" : [ "In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because \"else if\" is not used.", "A flaw was found http-proxy-middleware. This vulnerability affects http-proxy-middleware versions where the writeBody function can be called twice due to improper control flow handling." ], "affected_release" : [ { "product_name" : "Red Hat Developer Hub 1.6", "release_date" : "2025-06-30T00:00:00Z", "advisory" : "RHSA-2025:9966", "cpe" : "cpe:/a:redhat:rhdh:1.6::el9", "package" : "rhdh/rhdh-hub-rhel9:sha256:79618b38d6f02457954b227d538e238fdebbb72a220af5bd6be3cfab3ad0f262" }, { "product_name" : "Red Hat Developer Hub 1.7", "release_date" : "2025-08-19T00:00:00Z", "advisory" : "RHSA-2025:14090", "cpe" : "cpe:/a:redhat:rhdh:1.7::el9", "package" : "rhdh/rhdh-hub-rhel9:sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c" } ], "package_state" : [ { "product_name" : "Cryostat 3", "fix_state" : "Fix deferred", "package_name" : "io.cryostat-cryostat3", "cpe" : "cpe:/a:redhat:cryostat:3" }, { "product_name" : "Cryostat 4", "fix_state" : "Fix deferred", "package_name" : "io.cryostat-cryostat", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Migration Toolkit for Applications 7", "fix_state" : "Fix deferred", "package_name" : "mta/mta-ui-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7" }, { "product_name" : "Network Observability Operator", "fix_state" : "Fix deferred", "package_name" : "network-observability/network-observability-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Fix deferred", "package_name" : "openshift-lightspeed-tech-preview/lightspeed-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-24/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/lightspeed-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "automation-eda-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "automation-gateway", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Fix deferred", "package_name" : "io.hawt-project", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Fix deferred", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Fix deferred", "package_name" : "org.optaweb.vehiclerouting-optaweb-vehicle-routing", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "org.infinispan-infinispan-console", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "io.apicurio-apicurito", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "io.syndesis-syndesis-parent", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Fix deferred", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-driver-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-launcher-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-gateway-opa-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-gateway-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-jaeger-query-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-query-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Fix deferred", "package_name" : "rhosdt/tempo-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Fix deferred", "package_name" : "org.uberfire-uberfire-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Fix deferred", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Trusted Profile Analyzer", "fix_state" : "Fix deferred", "package_name" : "rhtpa/rhtpa-trustification-service-rhel9", "cpe" : "cpe:/a:redhat:trusted_profile_analyzer:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-32996\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32996\nhttps://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145\nhttps://github.com/chimurai/http-proxy-middleware/pull/1089\nhttps://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8\nhttps://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4" ], "name" : "CVE-2025-32996", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }