Back to overview

CVE-2026-15631

HIGH
8.7
CVSS 3.1
Description
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Metadata

CVE ID
CVE-2026-15631
State
PUBLISHED
Assigner
openjs
Reserved
2026-07-13 17:46 UTC
Published
2026-07-18 12:46 UTC
Last updated
2026-07-18 12:46 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
@fastify/http-proxy / @fastify/http-proxy
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
@fastify/http-proxy @fastify/http-proxy 9.4.0 < 11.6.0, 11.6.0
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Back to overview