Skip to main content

Red Hat CVE-2026-3635

| EUVDEUVD-2026-14431 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-03-23 openjs GHSA-444r-cwp2-x5xf
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 14:00 euvd
EUVD-2026-14431
Analysis Generated
Mar 23, 2026 - 14:00 vuln.today
CVE Published
Mar 23, 2026 - 13:53 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 39 npm packages depend on fastify (11 direct, 28 indirect)

Ecosystem-wide dependent count for version 5.8.3.

DescriptionCVE.org

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection - including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions fastify <= 5.8.2

Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers - this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

AnalysisAI

Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.

Technical ContextAI

Fastify is a Node.js web framework (CPE: cpe:2.3:a:fastify:fastify:*:*:*:*:*:*:*:*) that implements HTTP request handling with configurable trust models for reverse proxy scenarios. The trustProxy configuration option controls which headers are trusted from forwarding intermediaries; when set to a restrictive value such as a specific IP address, subnet, or custom validation function, it should enforce that only connections from trusted sources can influence request metadata. This vulnerability falls under CWE-348 (Misrepresentation of Requested Origin in Input). The root cause is that the request.protocol and request.host property getters bypass the configured trust logic and read X-Forwarded-Proto and X-Forwarded-Host headers unconditionally, allowing a direct attacker to inject false values that the application interprets as legitimate proxy-supplied metadata.

RemediationAI

Upgrade Fastify to a patched version newer than 5.8.2 immediately, as fixes have been released by the Fastify project (see https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf). Until patching is completed, apply network-level mitigations by ensuring Fastify listens only on loopback interfaces (127.0.0.1 or ::1) or behind a trusted reverse proxy with strict ingress controls; restrict network access via firewall rules to only trusted proxy servers and reject direct connections from untrusted sources. Additionally, validate the trustProxy configuration to confirm it matches your deployment topology and review application code that depends on request.protocol and request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF checks, host-based routing) to add defense-in-depth validation layers that do not rely solely on these potentially-spoofed headers.

Vendor StatusVendor

Share

CVE-2026-3635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy