@fastify/http-proxy vulnerable to prefix escape via URL-encoded characters
Summary
| CVE | CVE-2026-16117 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-18 14:17:11 UTC |
| Updated | 2026-07-18 14:17:11 UTC |
| Description | Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none. |
Risk And Classification
Primary CVSS: v3.1 10 CRITICAL from ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Problem Types: CWE-20 | CWE-20 CWE-20: Improper Input Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | @fastifyhttp-proxy | @fastify/http-proxy | affected 11.6.0 semver | Not specified |
| CNA | @fastifyhttp-proxy | @fastify/http-proxy | unaffected 11.6.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | |
| github.com/fastify/fastify-http-proxy/security/advisories/GHSA-mx7v-qhg9... | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: tndud042713 (en)
CNA: mcollina (en)
CNA: UlisesGascon (en)
There are currently no legacy QID mappings associated with this CVE.