Skip to content

v1.1.3 — Security Hardening

Latest

Choose a tag to compare

@molty3000 molty3000 released this 17 May 13:19

🔒 Security Fixes

Critical — SSRF via Absolute-Form HTTP Request (CWE-918)

buildURL() now validates that the resolved URL origin matches the configured base, blocking absolute-form HTTP requests (GET http://target/path HTTP/1.1) from bypassing the proxy base restriction.

Before: An attacker could force the proxy to forward requests to arbitrary internal targets (AWS metadata, internal services, databases) by sending an absolute-form request.
After: Returns 400 Bad Request if the resolved origin differs from the configured base.

Medium — Hop-by-Hop Response Header Pass-Through

stripHttp1ConnectionHeaders() is now applied unconditionally for all HTTP/1.1 responses (previously only applied to HTTP/2→HTTP/1.1 conversions). This prevents downstream servers from injecting hop-by-hop headers (transfer-encoding, connection, keep-alive) that could break clients. Per RFC 7230 §6.1.

Low — Error Message Information Disclosure (CWE-209)

Raw error messages are no longer forwarded to clients. Replaced with generic Bad Request, Gateway Timeout, and Service Unavailable responses.

🧪 Testing

  • 12 new security regression tests covering SSRF prevention and header stripping
  • All 78 existing tests preserved
  • CI passing on Node.js 16 and 22
  • CodeQL clean

📦 Install

npm i fast-proxy-lite@1.1.3

Full Changelog: v1.1.2...v1.1.3