Title: NO_PROXY domain suffix can be used to evade proxy by a non-subdomain · Issue #62907 · nodejs/node · GitHub
Open Graph Title: NO_PROXY domain suffix can be used to evade proxy by a non-subdomain · Issue #62907 · nodejs/node
X Title: NO_PROXY domain suffix can be used to evade proxy by a non-subdomain · Issue #62907 · nodejs/node
Description: Doc says: https://nodejs.org/api/http.html#no-proxy-format .example.com - Domain suffix match (matches sub.example.com) But .example.com also matches totally-not-example.com. Also (more trivially verifiable), .ample.com matches example.c...
Open Graph Description: Doc says: https://nodejs.org/api/http.html#no-proxy-format .example.com - Domain suffix match (matches sub.example.com) But .example.com also matches totally-not-example.com. Also (more trivially v...
X Description: Doc says: https://nodejs.org/api/http.html#no-proxy-format .example.com - Domain suffix match (matches sub.example.com) But .example.com also matches totally-not-example.com. Also (more trivially v...
Opengraph URL: https://github.com/nodejs/node/issues/62907
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"NO_PROXY domain suffix can be used to evade proxy by a non-subdomain","articleBody":"Doc says: https://nodejs.org/api/http.html#no-proxy-format\n\n\u003e `.example.com - Domain suffix match (matches sub.example.com)`\n\nBut `.example.com` also matches `totally-not-example.com`.\n\nAlso (more trivially verifiable), `.ample.com` matches `example.com`:\n\n```console\n% cat deepview-broken-proxy.js\nrequire('node:https').request('https://example.com', (res) =\u003e {\n console.log('status:', res.statusCode)\n process.exit(0)\n}).end()\n% HTTPS_PROXY='http://10.0.0.0:1' node --use-env-proxy deepview-broken-proxy.js \nnode:events:487\n throw er; // Unhandled 'error' event\n ^\n\nError [ERR_PROXY_TUNNEL]: Connection to establish proxy tunnel timed out after 5000ms\n...\n% HTTPS_PROXY='http://10.0.0.0:1' NO_PROXY='.ample.com' node --use-env-proxy deepview-broken-proxy.js\nstatus: 200\n```\n\nhttps://github.com/nodejs/node/blob/HEAD/lib/internal/http.js#L161\n\n\u003cdetails\u003e\n\n\u003e In `ProxyConfig#shouldUseProxy` (the transitive helper that `checkShouldUseProxy` always delegates to), the `.suffix` bypass-list rule uses `host.endsWith(suffix)` after stripping the leading dot. This matches across domain-label boundaries: a `NO_PROXY=.example.com` rule causes `checkShouldUseProxy(..., { host: 'evilexample.com' })` to return `false` (bypass proxy) because `'evilexample.com'.endsWith('example.com')` is `true`. An attacker who can choose/influence the target hostname can therefore route traffic around a proxy that was meant to intercept all `*.example.com` traffic. The check should require the character immediately preceding the suffix to be `.` (or the host to equal the suffix exactly), e.g. `host === suffix || host.endsWith('.' + suffix)` — or reuse the same form as the `*.example.com` branch (which is already safe because its effective suffix retains the leading dot).\n\n\u003c/details\u003e","author":{"url":"https://github.com/ChALkeR","@type":"Person","name":"ChALkeR"},"datePublished":"2026-04-23T06:57:12.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/62907/node/issues/62907"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:7d9e1cd7-f116-1f5d-e3ce-53cd4b7e7169 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8DB6:1A5476:9A3397:D22488:6A4C885F |
| html-safe-nonce | b6bfa9db4d0910d00e91f0f600cc7d8ff05ca2ecce378e13e7285be356e4ef1c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4REI2OjFBNTQ3Njo5QTMzOTc6RDIyNDg4OjZBNEM4ODVGIiwidmlzaXRvcl9pZCI6Ijg4MzQ2OTY2NzEwODQxODU2OTUiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | ae7816c9b8341f047410ff408508f0d788c6c6bfaa76a0cb9c8ba7232c7358fe |
| hovercard-subject-tag | issue:4314121161 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/62907/issue_layout |
| twitter:image | https://opengraph.githubassets.com/af89282e3bdc98c820f8cc4b685334d12e161272e6cf48f0a2aa5d49eac1b234/nodejs/node/issues/62907 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/af89282e3bdc98c820f8cc4b685334d12e161272e6cf48f0a2aa5d49eac1b234/nodejs/node/issues/62907 |
| og:image:alt | Doc says: https://nodejs.org/api/http.html#no-proxy-format .example.com - Domain suffix match (matches sub.example.com) But .example.com also matches totally-not-example.com. Also (more trivially v... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | ChALkeR |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7a2dede45637df6b92ddcfe2a557e67d4b5854ae |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width