CVE-2025-66415

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-12-01

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-12-01

Last Modified

2026-02-06

Generated

2026-06-16

AI Q&A

2025-12-02

EPSS Evaluated

2026-06-15

NVD

CVE-2025-66415

Affected Vendors & Products

Vendor	Product	Version / Range
fastify	reply-from	to 12.4.0 (exc)
fastify	reply-from	12.5.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-441	The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CWE ID

Description

CWE-441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

Executive Summary

The vulnerability in fastify-reply-from prior to version 12.5.0 allows an attacker to craft a malicious URL to access routes that should be restricted, bypassing the intended route restrictions defined in the plugin. This means unauthorized access to certain server routes could occur.

Impact Analysis

This vulnerability can lead to unauthorized access to server routes that are meant to be restricted, potentially exposing sensitive data or functionality to attackers. It could compromise the security of your application by allowing attackers to reach parts of the system they should not have access to.

Mitigation Strategies

Upgrade the fastify-reply-from plugin to version 12.5.0 or later, as this version contains the fix for the vulnerability.

Hi! I’m here to help you understand CVE-2025-66415. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-66415

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart