Skip to main content

Fastify Reply From EUVDEUVD-2026-22877

| CVE-2026-33805 CRITICAL
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
2026-04-15 openjs GHSA-gwhp-pf74-vj37
9.0
CVSS 4.0 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.4 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 17, 2026 - 15:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 10:45 euvd
EUVD-2026-22877
Analysis Generated
Apr 15, 2026 - 10:45 vuln.today
CVE Published
Apr 15, 2026 - 10:13 nvd
CRITICAL 9.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 npm packages depend on @fastify/http-proxy (4 direct, 13 indirect)
  • 279 npm packages depend on @fastify/reply-from (111 direct, 170 indirect)

Ecosystem-wide dependent count for version 11.4.4 and other introduced versions.

DescriptionCVE.org

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from.

Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.

AnalysisAI

HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted HTTP request with malicious Connection header
Delivery
Proxy processes Connection header after adding security headers
Exploit
Target headers stripped from upstream request
Execution
Upstream service receives request missing expected auth/control headers
Impact
Bypass access controls or security policies

Vulnerability AssessmentAI

Exploitation Remote exploitation against default network-accessible Fastify proxy configurations using @fastify/reply-from ≤12.6.1 or @fastify/http-proxy ≤11.4.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) indicates network-based unauthenticated exploitation with low complexity but present attack requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker identifies a Fastify-based API gateway that adds X-Client-Auth: trusted-user to requests forwarded to internal microservices. The attacker sends an HTTP request with Connection: X-Client-Auth, causing @fastify/reply-from to strip the proxy-added authentication header. …
Remediation Upgrade @fastify/reply-from to version 12.6.2 or later, or upgrade @fastify/http-proxy to version 11.4.4 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using @fastify/reply-from or @fastify/http-proxy and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-22877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy