Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 39 npm packages depend on fastify (11 direct, 28 indirect)
Ecosystem-wide dependent count for version 5.8.3.
DescriptionCVE.org
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection - including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.
Affected Versions fastify <= 5.8.2
Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.
When trustProxy: true (trust everything), both host and protocol trust all forwarded headers - this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
AnalysisAI
Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.
Technical ContextAI
Fastify is a Node.js web framework (CPE: cpe:2.3:a:fastify:fastify:*:*:*:*:*:*:*:*) that implements HTTP request handling with configurable trust models for reverse proxy scenarios. The trustProxy configuration option controls which headers are trusted from forwarding intermediaries; when set to a restrictive value such as a specific IP address, subnet, or custom validation function, it should enforce that only connections from trusted sources can influence request metadata. This vulnerability falls under CWE-348 (Misrepresentation of Requested Origin in Input). The root cause is that the request.protocol and request.host property getters bypass the configured trust logic and read X-Forwarded-Proto and X-Forwarded-Host headers unconditionally, allowing a direct attacker to inject false values that the application interprets as legitimate proxy-supplied metadata.
RemediationAI
Upgrade Fastify to a patched version newer than 5.8.2 immediately, as fixes have been released by the Fastify project (see https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf). Until patching is completed, apply network-level mitigations by ensuring Fastify listens only on loopback interfaces (127.0.0.1 or ::1) or behind a trusted reverse proxy with strict ingress controls; restrict network access via firewall rules to only trusted proxy servers and reject direct connections from untrusted sources. Additionally, validate the trustProxy configuration to confirm it matches your deployment topology and review application code that depends on request.protocol and request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF checks, host-based routing) to add defense-in-depth validation layers that do not rely solely on these potentially-spoofed headers.
Same weakness CWE-348 – Use of Less Trusted Source
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14431
GHSA-444r-cwp2-x5xf