EUVD-2026-14431

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections...

CVE-2026-3635

Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...