Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 17 npm packages depend on @fastify/http-proxy (4 direct, 13 indirect)
- 279 npm packages depend on @fastify/reply-from (111 direct, 170 indirect)
Ecosystem-wide dependent count for version 11.4.4 and other introduced versions.
DescriptionCVE.org
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from.
Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
AnalysisAI
HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote exploitation against default network-accessible Fastify proxy configurations using @fastify/reply-from ≤12.6.1 or @fastify/http-proxy ≤11.4.3. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) indicates network-based unauthenticated exploitation with low complexity but present attack requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | Attacker identifies a Fastify-based API gateway that adds X-Client-Auth: trusted-user to requests forwarded to internal microservices. The attacker sends an HTTP request with Connection: X-Client-Auth, causing @fastify/reply-from to strip the proxy-added authentication header. … |
| Remediation | Upgrade @fastify/reply-from to version 12.6.2 or later, or upgrade @fastify/http-proxy to version 11.4.4 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications using @fastify/reply-from or @fastify/http-proxy and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22877
GHSA-gwhp-pf74-vj37