Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-16117

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

View on NVD

Analysis

El plugin @fastify/http-proxy no procesa correctamente los prefijos codificados en la URL, lo que permite evadir las restricciones de ruteo configuradas. Un atacante puede aprovechar este fallo para acceder a endpoints internos o administrativos en el servidor upstream que el proxy deberia ocultar por seguridad. Es imperativo actualizar a la version 11.6.0 para mitigar este riesgo de acceso no autorizado en arquitecturas de microservicios.

Relevant roles

BackendJavascriptTypescriptCyberSecurity

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-20

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Published: 7/18/2026, 2:17:11 PM
Last modified: 7/18/2026, 2:17:11 PM

References

HomeEventsBlogResourcesTeam