CVE-2026-33805
Published:April 15, 2026
Updated:April 23, 2026
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from.
Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
Affected Packages
https://github.com/fastify/fastify-reply-from.git (GITHUB):
Affected version(s) >=v0.1.0 <v12.6.2Fix Suggestion:
Update to version v12.6.2@fastify/reply-from (NPM):
Affected version(s) >=7.0.0 <12.6.2Fix Suggestion:
Update to version 12.6.2@fastify/http-proxy (NPM):
Affected version(s) >=7.0.0 <11.4.4Fix Suggestion:
Update to version 11.4.4Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of HTTP Headers for Scripting Syntax
EPSS
Base Score:
0.04
