CVE-2025-32997: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in http-proxy-middleware affecting versions before 2.0.9 and 3.x before 3.0.5. The issue occurs when the fixRequestBody function proceeds with execution even when bodyParser has failed, potentially leading to unintended behavior (NVD, Red Hat).

The vulnerability is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions). It has been assigned a CVSS v3.1 base score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N, indicating that it is network accessible, requires high attack complexity, needs no privileges, requires no user interaction, has changed scope, and can only impact integrity at a low level (NVD).

The vulnerability could lead to unintended behavior in applications using http-proxy-middleware when handling request bodies. The impact is primarily limited to the integrity of request processing, with no direct impact on confidentiality or availability (Red Hat).

The vulnerability has been fixed in http-proxy-middleware versions 2.0.9 and 3.0.5. Users are advised to upgrade to these or later versions. The fix involves adding a check for req.readableLength to prevent proceeding with fixRequestBody when bodyParser has failed (GitHub Commit).