CVE-2026-33805

Name of the Vulnerable Software and Affected Versions @fastify/reply-from versions prior to 12.6.2 @fastify/http-proxy versions prior to 11.4.4

Description A logic flaw in the header processing pipeline of the Node.js Fastify framework allows unauthenticated remote attackers to bypass security controls. The issue occurs because the rewriteRequestHeaders() function processes the client's Connection header after the proxy has added its own headers. This allows an attacker to retroactively strip headers added by the proxy for routing, access control, or security purposes by listing them in the Connection header value. This can lead to unauthorized modification of protected information or the bypass of proxy identification and authorization mechanisms.

Recommendations Upgrade @fastify/reply-from to version 12.6.2 or later. Upgrade @fastify/http-proxy to version 11.4.4 or later.