{"ecosystem":"npm","package":"https-proxy-agent","version":null,"bugs":[{"id":319,"ecosystem":"npm","package_name":"https-proxy-agent","affected_version":null,"fixed_version":"2.2.3","bug_id":"osv:GHSA-pc5p-h8pf-mvwp","title":"Machine-In-The-Middle in https-proxy-agent","description":"Versions of `https-proxy-agent` prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.\n\n\n## Recommendation\n\nUpgrade to version 3.0.0 or 2.2.3.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b","labels":[],"created_at":"2026-04-19 04:31:12.547833+00:00","updated_at":"2026-04-19 04:31:12.547833+00:00"},{"id":318,"ecosystem":"npm","package_name":"https-proxy-agent","affected_version":null,"fixed_version":"2.2.0","bug_id":"osv:GHSA-8g7p-74h8-hg48","title":"Denial of Service in https-proxy-agent","description":"Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`.\n\n\n## Recommendation\n\nUpdate to version 2.2.0 or later.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3736","labels":["CVE-2018-3739"],"created_at":"2026-04-19 04:31:12.546876+00:00","updated_at":"2026-04-19 04:31:12.546876+00:00"}],"total":2,"_cache":"hit"}