GMS-2020-738: Machine-In-The-Middle in https-proxy-agent

April 16, 2020 (updated August 23, 2021)

Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.

Recommendation

Upgrade to version 3.0.0 or 2.2.3.

References

github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b
github.com/advisories/GHSA-pc5p-h8pf-mvwp
hackerone.com/reports/541502
snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131
www.npmjs.com/advisories/1184

Detect and mitigate GMS-2020-738 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →