Skip to main content

Fastify Http Proxy

1 CVEs product

Monthly

CVE-2026-33805 npm CRITICAL PATCH GHSA Act Now

HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. CVSS 9.0 (Critical) with high integrity impact to both vulnerable and subsequent systems. EPSS 0.04% indicates low mass-exploitation probability despite proof-of-concept availability (SSVC). Vendor patches available: upgrade to @fastify/reply-from ≥12.6.2 or @fastify/http-proxy ≥11.4.4.

Information Disclosure Fastify Reply From Fastify Http Proxy
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. CVSS 9.0 (Critical) with high integrity impact to both vulnerable and subsequent systems. EPSS 0.04% indicates low mass-exploitation probability despite proof-of-concept availability (SSVC). Vendor patches available: upgrade to @fastify/reply-from ≥12.6.2 or @fastify/http-proxy ≥11.4.4.

Information Disclosure Fastify Reply From Fastify Http Proxy
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy