CVE-2021-21321

2021-03-0204:15:12

Google

osv.dev

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.9%

JSON

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is “/pub/”, a user expect that accessing “/priv” on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.

CPENameOperatorVersion
fastify-reply-fromeq2.0.0
fastify-reply-fromeq0.3.0
fastify-reply-fromeq0.4.6
fastify-reply-fromeq2.0.1
fastify-reply-fromeq2.2.0
fastify-reply-fromeq3.1.2
fastify-reply-fromeq0.5.3
fastify-reply-fromeq1.0.0
fastify-reply-fromeq0.5.4
fastify-reply-fromeq3.5.0

Name	Operator	Version
fastify-reply-from	eq	2.0.0
fastify-reply-from	eq	0.3.0
fastify-reply-from	eq	0.4.6
fastify-reply-from	eq	2.0.1
fastify-reply-from	eq	2.2.0
fastify-reply-from	eq	3.1.2
fastify-reply-from	eq	0.5.3
fastify-reply-from	eq	1.0.0
fastify-reply-from	eq	0.5.4
fastify-reply-from	eq	3.5.0