PT-2026-60961 · Npm · Fastify-Http-Proxy

·

CVE-2026-16117

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions @fastify/http-proxy versions prior to 11.6.0
Description An improper input normalization issue exists where the software fails to rewrite the request prefix when the prefix segment is URL-encoded. While the router URL-decodes paths for route matching, the request.url retains the original encoded form, and the rewrite process uses a literal string replacement against the decoded prefix. This encoding mismatch allows a remote attacker to send requests with URL-encoded characters in the configured prefix, causing the proxy to match the route but skip the rewrite. Consequently, the raw encoded path is forwarded to the upstream server, which then decodes the path and serves it. This leads to a full proxy path bypass, exposing internal or administrative endpoints that were intended to be hidden via the rewritePrefix configuration, potentially resulting in unauthorized administrative actions and sensitive data exposure.
Recommendations Upgrade to @fastify/http-proxy version 11.6.0.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-16117

Affected Products

Fastify-Http-Proxy