9
CVE-2026-33805
- EPSS 0.33%
- Veröffentlicht 15.04.2026 10:13:25
- Zuletzt bearbeitet 01.06.2026 14:51:29
- Quelle ce714d77-add3-4f53-aff5-83d477
- CVE-Watchlists
- Unerledigt
Login@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fastify ≫ Fastify/http-proxy SwPlatformnode.js Version < 11.4.4
Fastify ≫ Reply-from SwPlatformnode.js Version < 12.6.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.245 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.6 | 3.9 | 4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
|
| ce714d77-add3-4f53-aff5-83d477b104bb | 9 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37