CVE-2026-33805
Header Injection Vulnerability in @fastify/reply-from and http-proxy
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | reply-from | to 12.6.2 (exc) |
| fastify | http-proxy | to 11.4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-644 | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to strip proxy-added headers that are used for routing, access control, or security purposes. By removing these headers, attackers can bypass detection, filtering, and authorization mechanisms implemented by the proxy.
Such unauthorized modification of headers undermines the trust model of security controls, potentially leading to unauthorized access or data exposure.
Because many compliance standards and regulations like GDPR and HIPAA require strict access controls and protection of sensitive data, this vulnerability could lead to non-compliance by enabling attackers to circumvent security policies designed to protect personal or sensitive information.
Can you explain this vulnerability to me?
This vulnerability exists in @fastify/reply-from versions 12.6.1 and earlier and @fastify/http-proxy versions 11.4.3 and earlier. It occurs because these packages process the client's Connection header after the proxy has already added its own headers via the rewriteRequestHeaders function.
As a result, an attacker can use the Connection header to retroactively strip headers that the proxy added to upstream requests. This means any header added by the proxy for purposes such as routing, access control, or security can be selectively removed by a client.
@fastify/http-proxy is also affected because it delegates to @fastify/reply-from.
Upgrading to @fastify/reply-from version 12.6.2 or later, or @fastify/http-proxy version 11.4.4 or later, resolves this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remove important headers that the proxy adds for routing, access control, or security.
By stripping these headers, attackers may bypass security controls or routing rules, potentially gaining unauthorized access or disrupting normal proxy behavior.
What immediate steps should I take to mitigate this vulnerability?
Upgrade to @fastify/reply-from version 12.6.2 or later, and @fastify/http-proxy version 11.4.4 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests passing through the Fastify proxy for suspicious use of the Connection header that lists proxy-added headers. Specifically, look for requests where the Connection header includes names of headers that the proxy normally adds, such as 'x-forwarded-by' or other custom proxy headers.
To detect exploitation attempts, you can capture and inspect HTTP traffic to identify requests with a Connection header that attempts to strip proxy-added headers.
Example commands to detect such requests using common tools:
- Using tcpdump to capture HTTP traffic and filter for Connection headers containing proxy header names (e.g., x-forwarded-by):
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Connection:.*x-forwarded-by'
- Using grep on HTTP server logs to find requests with suspicious Connection headers:
- grep -i 'Connection:.*x-forwarded-by' /var/log/fastify-access.log
Additionally, review your proxy configuration and logs for unexpected absence of proxy-added headers upstream, which may indicate header stripping.