Back to CVE List

CVE-2026-15631

HIGH SEVERITY

CVSS Score & Metrics

Base Score
8.7 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Vulnerability Description

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies.

Patches: upgrade to @fastify/http-proxy 11.6.0.

Workarounds: none.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-22
Source
NVD
Vendor
@fastify/http-proxy
Product
@fastify/http-proxy

External References

Discussion (0)

Add Comment

No comments yet. Be the first!