cbcvebase.

Fastify Fastify-Reply-From vulnerabilities

3 known vulnerabilities affecting fastify/fastify-reply-from.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2021-21321P2CRITICALCVSS 10.0fixed in 4.0.22021-03-02
CVE-2021-21321 [CRITICAL] CWE-20 CVE-2021-21321: fastify-reply-from is an npm package which is a fastify plugin to forward the current http request t fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on th
ghsanvdosv
CVE-2023-51701P3HIGHCVSS 7.5fixed in 9.6.02024-01-08
CVE-2023-51701 [HIGH] CWE-444 CVE-2023-51701: fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reve fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/rep
nvd
CVE-2025-66415P4MEDIUMCVSS 5.4fixed in 12.5.02025-12-01
CVE-2025-66415 [MEDIUM] CWE-441 CVE-2025-66415: fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.
nvd
Fastify Fastify-Reply-From vulnerabilities | cvebase