PT-2025-48579 · Unknown · @Fastify/Reply-From
Published
2025-12-01
·
Updated
2026-02-06
·
CVE-2025-66415
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
fastify-reply-from versions prior to 12.5.0
Description
fastify-reply-from is a Fastify plugin used to forward HTTP requests to another server. Versions of the plugin prior to 12.5.0 contain a flaw where a malicious URL can be crafted to allow an attacker to access routes that are not permitted, even when the
reply.from functionality is configured to restrict access to specific routes.Recommendations
Update to version 12.5.0 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Fastify/Reply-From