2 matches found
CVE-2026-16117
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...
CVE-2026-16117
The CVE concerns @fastify/http-proxy (affected: up to 11.5.0) where URL prefix rewriting fails when the prefix segment is URL-encoded. Fastify decodes paths for route matching, but request.url keeps the original encoded form. The prefixRewrite step compares against the decoded prefix using a lite...