Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-15631

Summary
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
Published At-18 Jul, 2026 | 12:46
Updated At-18 Jul, 2026 | 12:46
Rejected At-
Credits

@fastify/http-proxy vulnerable to prefix escape via WebSocket path traversal

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:openjs
Assigner Org ID:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:18 Jul, 2026 | 12:46
Updated At:18 Jul, 2026 | 12:46
Rejected At:
▼CVE Numbering Authority (CNA)
@fastify/http-proxy vulnerable to prefix escape via WebSocket path traversal

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Affected Products
Vendor
@fastify/http-proxy
Product
@fastify/http-proxy
Default Status
unaffected
Versions
Affected
  • From 9.4.0 before 11.6.0 (semver)
Unaffected
  • 11.6.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.18.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Universe-Theori
remediation developer
UlisesGascon
remediation reviewer
mcollina
reporter
teammyinside
remediation reviewer
climba03003
reporter
KuniNogu
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w-9wh2
N/A
https://cna.openjsf.org/security-advisories.html
N/A
Hyperlink: https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w-9wh2
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:18 Jul, 2026 | 13:17
Updated At:18 Jul, 2026 | 13:17

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-22Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-22
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.openjsf.org/security-advisories.htmlce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w-9wh2ce714d77-add3-4f53-aff5-83d477b104bb
N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w-9wh2
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2026-42275
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.33% / 25.12%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 03:45
Updated-08 May, 2026 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

Action-Not Available
Vendor-netfoundryopenziti
Product-zrokzrok
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-61
UNIX Symbolic Link (Symlink) Following
Details not found