PT-2026-60961 · Npm · Fastify-Http-Proxy
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
@fastify/http-proxy versions prior to 11.6.0
Description
An improper input normalization issue exists where the software fails to rewrite the request prefix when the prefix segment is URL-encoded. While the router URL-decodes paths for route matching, the
request.url retains the original encoded form, and the rewrite process uses a literal string replacement against the decoded prefix. This encoding mismatch allows a remote attacker to send requests with URL-encoded characters in the configured prefix, causing the proxy to match the route but skip the rewrite. Consequently, the raw encoded path is forwarded to the upstream server, which then decodes the path and serves it. This leads to a full proxy path bypass, exposing internal or administrative endpoints that were intended to be hidden via the rewritePrefix configuration, potentially resulting in unauthorized administrative actions and sensitive data exposure.Recommendations
Upgrade to @fastify/http-proxy version 11.6.0.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fastify-Http-Proxy