Skip to content

v5.0.1 — Security hardening

Latest

Choose a tag to compare

@molty3000 molty3000 released this 17 May 14:13

Changes

🔒 Buffer overflow protection (CVE-worthy)

  • Added 1MB MAX_BUFFER_SIZE guard in default onResponse hook for chunked responses with Connection: close
  • Previously: unbounded buffering could exhaust process memory via malicious upstream
  • Now: returns 502 when response exceeds 1MB, stream destroyed safely

⬆️ fast-proxy-lite ^1.1.2 → ^1.1.3

  • SSRF fix: buildURL() now validates request origin, blocking absolute-form HTTP URLs that bypass the configured base

🧪 Regression tests

  • 2MB chunked response → 502 rejection (buffer limit)
  • 2MB chunked response with keep-alive → streams normally (no buffering)

Full test suite: 57/57 passing