4 matches found
CVE-2026-15631
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...
CVE-2026-16117
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...
CVE-2026-15631
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...
Envoy Security Vulnerabilities
Envoy is an open source distributed proxy server. A security vulnerability exists in Envoy versions prior to 1.30.4, 1.29.7, 1.28.5, and 1.27.7, which stems from a reference to memory that has been freed when using the cookie attribute when configuring a routing hash policy, resulting in the...