@fastify/http-proxy vulnerable to prefix escape via WebSocket path traversal
Summary
| CVE | CVE-2026-15631 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-18 13:17:05 UTC |
| Updated | 2026-07-18 13:17:05 UTC |
| Description | Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none. |
Risk And Classification
Primary CVSS: v3.1 8.7 HIGH from ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Problem Types: CWE-22 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | @fastifyhttp-proxy | @fastify/http-proxy | affected 9.4.0 11.6.0 semver | Not specified |
| CNA | @fastifyhttp-proxy | @fastify/http-proxy | unaffected 11.6.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | |
| github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w... | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Universe-Theori (en)
CNA: UlisesGascon (en)
CNA: mcollina (en)
CNA: teammyinside (en)
CNA: climba03003 (en)
CNA: KuniNogu (en)
There are currently no legacy QID mappings associated with this CVE.