By crafting a specific URL, it is possible to escape the prefix of the proxied backend service.
If the base url of the proxied server is /pub/
, a user expect that accessing /priv
on the target service would not be possible. Unfortunately, it is.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
All releases after v4.3.1 include the fix.
There are no workaround available.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
fastify-http-proxy | lt | 4.3.1 |