CVE-2024-21536: 
JavaScript vulnerability analysis and mitigation

CVE-2024-21536 affects the http-proxy-middleware package versions before 2.0.7 and from 3.0.0 to before 3.0.3. The vulnerability was discovered on October 18, 2024, and involves a Denial of Service (DoS) condition caused by an UnhandledPromiseRejection error thrown by micromatch. The vulnerability affects Node.js applications using the affected versions of the http-proxy-middleware package (NVD, Snyk Advisory).

The vulnerability is caused by an unhandled promise rejection error thrown by the micromatch component when processing certain path patterns. The issue has a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is triggered when requests are made to specific paths, which can cause the Node.js process to crash. On versions 1 and 2 of the package, excluding pathFilter can also cause the server to crash with a 'TypeError: Cannot read properties of null (reading 'indexOf')' error from matchSingleStringPath (Snyk Advisory).

When successfully exploited, this vulnerability allows an attacker to kill the Node.js process and crash the server by making requests to certain paths. This results in a denial of service condition, making the application unavailable to legitimate users. The impact is particularly significant as it affects the availability of the service without requiring any special privileges or user interaction (Snyk Advisory).

The recommended mitigation is to upgrade http-proxy-middleware to version 2.0.7 or 3.0.3 or higher, depending on the major version being used. The vulnerability has been patched in these versions with fixes that properly handle errors in the path filtering mechanism (Patch Commit 1, Patch Commit 2).