CVE-2026-15631
Received Received - Intake

Path Traversal in Fastify HTTP Proxy

Vulnerability report for CVE-2026-15631, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: openjs

Description

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fastify http-proxy From 9.4.0 (inc) to 11.5.0 (inc)
openjs_foundation on-headers *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15631 is a WebSocket path traversal vulnerability in @fastify/http-proxy versions 9.4.0 to 11.5.0. The proxy fails to validate WebSocket destination paths against rewrite prefixes. URL resolution during WebSocket routing collapses path segments like '..', allowing crafted requests to bypass intended restrictions and access unintended upstream endpoints.

Detection Guidance

Check the version of @fastify/http-proxy in use. If it is between 9.4.0 and 11.5.0, the system is vulnerable. Run: npm list @fastify/http-proxy or check package.json for version details.

Impact Analysis

This vulnerability may allow attackers to bypass authorization and access hidden WebSocket endpoints on upstream servers. Potential impacts include data exfiltration or server-side request forgery (SSRF)-style attacks. Exploitation requires a non-normalizing WebSocket client or downstream proxy that forwards raw request paths.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data via WebSocket path traversal, potentially violating GDPR's data protection requirements and HIPAA's safeguards for protected health information by exposing confidential data to unauthorized parties.

Mitigation Strategies

Upgrade @fastify/http-proxy to version 11.6.0 or later immediately. Use: npm update @fastify/http-proxy or specify the fixed version in package.json.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart