Executive Summary

This vulnerability exists in @fastify/reply-from versions 12.6.1 and earlier and @fastify/http-proxy versions 11.4.3 and earlier. It occurs because these packages process the client's Connection header after the proxy has already added its own headers via the rewriteRequestHeaders function.

As a result, an attacker can use the Connection header to retroactively strip headers that the proxy added to upstream requests. This means any header added by the proxy for purposes such as routing, access control, or security can be selectively removed by a client.

@fastify/http-proxy is also affected because it delegates to @fastify/reply-from.

Upgrading to @fastify/reply-from version 12.6.2 or later, or @fastify/http-proxy version 11.4.4 or later, resolves this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to remove important headers that the proxy adds for routing, access control, or security.

By stripping these headers, attackers may bypass security controls or routing rules, potentially gaining unauthorized access or disrupting normal proxy behavior.

Useful 0 Not Useful 0

Mitigation Strategies

Upgrade to @fastify/reply-from version 12.6.2 or later, and @fastify/http-proxy version 11.4.4 or later.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to strip proxy-added headers that are used for routing, access control, or security purposes. By removing these headers, attackers can bypass detection, filtering, and authorization mechanisms implemented by the proxy.

Such unauthorized modification of headers undermines the trust model of security controls, potentially leading to unauthorized access or data exposure.

Because many compliance standards and regulations like GDPR and HIPAA require strict access controls and protection of sensitive data, this vulnerability could lead to non-compliance by enabling attackers to circumvent security policies designed to protect personal or sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests passing through the Fastify proxy for suspicious use of the Connection header that lists proxy-added headers. Specifically, look for requests where the Connection header includes names of headers that the proxy normally adds, such as 'x-forwarded-by' or other custom proxy headers.

To detect exploitation attempts, you can capture and inspect HTTP traffic to identify requests with a Connection header that attempts to strip proxy-added headers.

Example commands to detect such requests using common tools:

• Using tcpdump to capture HTTP traffic and filter for Connection headers containing proxy header names (e.g., x-forwarded-by):
• tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Connection:.*x-forwarded-by'
• Using grep on HTTP server logs to find requests with suspicious Connection headers:
• grep -i 'Connection:.*x-forwarded-by' /var/log/fastify-access.log

Additionally, review your proxy configuration and logs for unexpected absence of proxy-added headers upstream, which may indicate header stripping.

Useful 0 Not Useful 0