The vulnerability in http-proxy-middleware arises from improper neutralization of CRLF sequences in multipart/form-data request bodies. The fixRequestBody() function rebuilds the request body by interpolating req.body keys and values directly into the multipart wire format without sanitizing CR/LF characters. An attacker can exploit this by inserting \r\n sequences in keys or values, which prematurely closes the current multipart section and injects new form parts. This causes a mismatch between the proxy's parsed request body and the backend's parsed parameters, potentially allowing attackers to bypass validation or inject unauthorized data. The issue affects versions from 3.0.4 up to but not including 3.0.7 and 4.1.1. No explicit patch or remediation level is stated in the provided data.

An attacker can exploit this vulnerability to inject additional form parts into multipart/form-data requests, causing the backend server to process different parameters than those validated by the proxy. This can lead to parameter desynchronization across trust boundaries, potentially enabling unauthorized actions or data manipulation. The CVSS score of 7.5 indicates a high impact on integrity with limited impact on confidentiality and no impact on availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The description states that the vulnerability is fixed in versions 3.0.7 and 4.1.1, so upgrading to these or later versions is recommended once confirmed. Until then, avoid using vulnerable versions or apply any official fixes provided by the vendor. No vendor advisory content is provided to confirm the patch status or additional mitigation steps.