CVE-2026-3635

Name of the Vulnerable Software and Affected Versions fastify versions through 5.8.2

Description When the trustProxy setting is configured with a restrictive trust function—such as a specific IP address, a subnet, a hop count, or a custom function—the request.protocol and request.host getters incorrectly read X-Forwarded-Proto and X-Forwarded-Host headers from all connections, including those from untrusted sources. This allows an attacker connecting directly to Fastify, bypassing the proxy, to manipulate both the protocol and host as seen by the application. This issue only occurs when trustProxy is not set to true, which trusts all forwarded headers. Applications relying on request.protocol or request.host for security-sensitive operations—like HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, or host-based routing—are susceptible to attack when using a restrictive trustProxy configuration.

Recommendations fastify versions through 5.8.2 should not use a restrictive trustProxy configuration. If a proxy is not used, do not configure trustProxy. If a proxy is used, set trustProxy to true to trust all forwarded headers, or configure a custom trust function that accurately identifies trusted proxy IPs.