CVE-2021-21321
published 2021-03-02CVE-2021-21321: fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version…
PriorityP261critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.82%
76.1th percentile
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fastify-reply-from_project | fastify-reply-from | < 4.0.2 | 4.0.2 |
| fastify | fastify-reply-from | < 4.0.2 | 4.0.2 |
| fastify | fastify-reply-from | >= 0 < 4.0.2 | 4.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →A crafted URL can be used to escape the configured prefix of the proxied backend service in fastify-reply-from, allowing access to paths outside the intended prefix (e.g., accessing '/priv' when only '/pub/' should be reachable). ↗
- →Monitor HTTP proxy requests through fastify-reply-from for URL patterns that traverse outside the configured base path prefix, particularly requests reaching backend paths not under the expected prefix. ↗
- ·The vulnerability affects fastify-reply-from versions prior to 4.0.2. Upgrade to 4.0.2 or later to remediate. ↗
- ·The severity and impact of exploitation depends heavily on what backend endpoints are exposed; environments with unauthenticated or sensitive endpoints behind the proxy are at higher risk. ↗
- ·Red Hat Advanced Cluster Management for Kubernetes (rhacm2/search-ui-rhel8) is a confirmed affected package. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Prefix escape
osv·2021-03-03
CVE-2021-21321 [CRITICAL] Prefix escape
Prefix escape
### Impact
By crafting a specific URL, it is possible to escape the prefix of the proxied backend service.
If the base url of the proxied server is `/pub/`, a user expect that accessing `/priv` on the target service would not be possible. Unfortunately, it is.
[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
### Patches
A patch have been submitted by Corey Farrell [email protected], the reporter.
All releases after v4.0.2 include the fix.
### Workarounds
There are no workaround available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [fastify-reply-from](https://github.com/fastify/fastify-reply-from)
* Email us at [hello@matteocol
GHSA
Prefix escape
ghsa·2021-03-03
CVE-2021-21321 [CRITICAL] CWE-20 Prefix escape
Prefix escape
### Impact
By crafting a specific URL, it is possible to escape the prefix of the proxied backend service.
If the base url of the proxied server is `/pub/`, a user expect that accessing `/priv` on the target service would not be possible. Unfortunately, it is.
[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
### Patches
A patch have been submitted by Corey Farrell [email protected], the reporter.
All releases after v4.0.2 include the fix.
### Workarounds
There are no workaround available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [fastify-reply-from](https://github.com/fastify/fastify-reply-from)
* Email us at [hello@matteocol
Red Hat
fastify-reply-from: crafted URL allows prefix scape of the proxied backend service
vendor_redhat·2021-02-23·CVSS 10.0
CVE-2021-21321 [CRITICAL] CWE-20 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service
fastify-reply-from: crafted URL allows prefix scape of the proxied backend service
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.
A flaw was found in fastify-reply-from. Escaping of the prefix of the proxied backend service is possible allowing an attacker, using a specially crafted URL, to gain access to directories that would otherwise be out of bounds. The highest threat from thi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4https://www.npmjs.com/package/fastify-reply-fromhttps://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4https://www.npmjs.com/package/fastify-reply-from
2021-03-02
Published