CVE-2026-16117
Received Received - Intake

Path Traversal in Fastify HTTP Proxy

Vulnerability report for CVE-2026-16117, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: openjs

Description

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fastify http-proxy to 11.5.0 (inc)
fastify http-proxy 11.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability affects @fastify/http-proxy versions up to 11.5.0. When a client sends a URL with an encoded prefix (e.g., /%61pi/ instead of /api/), Fastify's router decodes the path for matching but the request URL remains encoded. The prefix rewrite step fails because it uses a literal string replace on the decoded prefix, leaving the encoded prefix intact. This allows the upstream server to receive the decoded path, bypassing intended restrictions.

Detection Guidance

Check if your system uses @fastify/http-proxy versions 11.5.0 or earlier by running: npm list @fastify/http-proxy. If the version is 11.5.0 or below, the system is vulnerable. Monitor proxy logs for requests with URL-encoded prefixes that bypass intended path restrictions.

Impact Analysis

This vulnerability can lead to path-restriction bypass, server-side request forgery (SSRF), or authorization bypass in the proxied service. Attackers could access internal or administrative endpoints that were meant to be hidden by the proxy's rewritePrefix configuration.

Compliance Impact

This vulnerability could lead to unauthorized access to internal or administrative endpoints via path bypass, potentially exposing sensitive data. This may violate GDPR's data protection requirements or HIPAA's access controls, depending on the proxied service's use case.

Mitigation Strategies

Upgrade @fastify/http-proxy to version 11.6.0 or later immediately using: npm update @fastify/http-proxy. No workarounds exist, so upgrading is the only mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart