Question 1

Is there a bug in https-proxy-agent?

Accepted Answer

Machine-In-The-Middle in https-proxy-agent Versions of `https-proxy-agent` prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.

## Recommendation

Upgrade to version 3.0.0 or 2.2.3. Fixed in https-proxy-agent 2.2.3.

Question 2

Is there a bug in https-proxy-agent?

Accepted Answer

Denial of Service in https-proxy-agent Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`.

## Recommendation

Update to version 2.2.0 or later. Fixed in https-proxy-agent 2.2.0.

Severity	Affected	Fixed in	Title	Status	Source
medium	any	2.2.3	Machine-In-The-Middle in https-proxy-agent Versions of `https-proxy-agent` prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials. ## Recommendation Upgrade to version 3.0.0 or 2.2.3.	fixed	osv:GHSA-pc5p-h8pf-mvwp
critical	any	2.2.0	Denial of Service in https-proxy-agent Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`. ## Recommendation Update to version 2.2.0 or later.	fixed	osv:GHSA-8g7p-74h8-hg48

https-proxy-agent known bugs