CVE-2023-51701

Name of the Vulnerable Software and Affected Versions @fastify/reply-from versions prior to 9.6.0

Description The issue arises when a reverse proxy server built with @fastify/reply-from misinterprets the incoming body by passing a header ContentType: application/json ; charset=utf-8, potentially leading to the bypass of security checks. This occurs because @fastify/reply-from does not unify the parsing of Content-Type with the main Fastify repository, which uses fast-content-type-parse to trim after splitting. As a result, the lack of trimming in @fastify/reply-from can cause misinterpretation.

Recommendations For versions prior to 9.6.0, update to version 9.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the @fastify/reply-from plugin until the update can be applied. Additionally, avoid using the ContentType header with the application/json ; charset=utf-8 value in the affected API endpoints until the issue is resolved.