CVE-2026-16158
Received Received - Intake

Cache Key Collision in @fastify/reply-from Leading to Data Leak

Vulnerability report for CVE-2026-16158, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: openjs

Description

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fastify reply-from From 8.3.1 (inc) to 12.6.4 (exc)
fastify reply-from 12.6.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the @fastify/reply-from npm package versions 8.3.1 to 12.6.3. It involves a cache key collision in the URL cache mechanism where the cache key is created by combining the destination and source paths without a separator. This can cause different destination-source pairs to generate the same cache key, leading requests to be sent to unintended upstream servers. For example, two different pairs might produce the same concatenated URL, causing cached responses from one server to be reused for another.

Detection Guidance

Check if your system uses @fastify/reply-from versions between 8.3.1 and 12.6.3 by running: npm list @fastify/reply-from. If the version is within this range, the system is potentially vulnerable.

Impact Analysis

This vulnerability allows unauthorized cross-upstream data access and modification. Attackers could manipulate source paths or upstream selection to route requests to unintended servers, potentially exposing sensitive data or altering information. The default configuration is affected, but setting disableCache to true mitigates the issue at the cost of per-request URL parsing overhead.

Compliance Impact

This vulnerability could lead to unauthorized cross-upstream data access and modification, potentially exposing sensitive data. For GDPR, this may result in unlawful data processing or breaches of confidentiality. For HIPAA, it could allow unauthorized access to protected health information, violating compliance requirements.

Mitigation Strategies

Upgrade @fastify/reply-from to version 12.6.4 or later using: npm update @fastify/reply-from. Alternatively, disable the URL cache by setting disableCache: true in the plugin registration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart