Back to overview

CVE-2026-16117

CRITICAL
10.0
CVSS 3.1
Description
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Metadata

CVE ID
CVE-2026-16117
State
PUBLISHED
Assigner
openjs
Reserved
2026-07-17 15:40 UTC
Published
2026-07-18 13:08 UTC
Last updated
2026-07-18 13:08 UTC
Primary CWE
CWE-20
CWE-20: Improper Input Validation
Vendor / Product
@fastify/http-proxy / @fastify/http-proxy
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
@fastify/http-proxy @fastify/http-proxy 0 < 11.6.0, 11.6.0
Weakness (CWE)
CWESourceDescription
CWE-20 cna CWE-20: Improper Input Validation
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Back to overview