11 matches found
CVE-2026-33805
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...
CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...
CVE-2026-33805
CVE-2026-33805 affects @fastify/reply-from <= v12.6.1 and @fastify/http-proxy
EUVD-2021-0642
Malware in sbrugna...
Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.2.2 security and bug fix update
Red Hat Advanced Cluster Management for Kubernetes 2.2.2 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...
CVE-2021-21322
A flaw was found in fastify-http-proxy. Escaping the prefix of the proxied backend service is possible by an attacker using a specially crafted URL. The highest threat from this vulnerability is to data confidentiality and integrity...
Prefix escape
Overview In fastify-http-proxy before version 4.3.1, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...
@ddot/ddot-plugin-webpack (>=0.0.3 <=0.0.14), @harmonyjs/controller-auth-jwt (>=1.0.0 <=1.0.0-rc2.6) +8 more potentially affected by CVE-2021-21322 via fastify-http-proxy (>=0.7.0 <=4.1.0)
fastify-http-proxy NPM version =0.7.0, =0.0.3, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.0-alpha.2, =0.2.0, =1.1.0, =1.5.5 Source cves: CVE-2021-21322 Source advisory: OSV:GHSA-C4QR-GMR9-V23W...
CVE-2021-21322
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessin...
Design/Logic Flaw
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessin...
CVE-2021-21322 Prefix escape
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessin...