Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-16158

Summary
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
Published At-18 Jul, 2026 | 12:28
Updated At-18 Jul, 2026 | 12:28
Rejected At-
Credits

@fastify/reply-from vulnerable to cross-upstream request routing via URL cache key collision

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:openjs
Assigner Org ID:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:18 Jul, 2026 | 12:28
Updated At:18 Jul, 2026 | 12:28
Rejected At:
▼CVE Numbering Authority (CNA)
@fastify/reply-from vulnerable to cross-upstream request routing via URL cache key collision

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.

Affected Products
Vendor
@fastify/reply-from
Product
@fastify/reply-from
Default Status
unaffected
Versions
Affected
  • From 8.3.1 before 12.6.4 (semver)
Unaffected
  • 12.6.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-441CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Type: CWE
CWE ID: CWE-441
Description: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Metrics
VersionBase scoreBase severityVector
3.18.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
HamdaanAliQuatil
remediation developer
mcollina
remediation reviewer
UlisesGascon
remediation reviewer
climba03003
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v574-6498-x57v
N/A
https://cna.openjsf.org/security-advisories.html
N/A
Hyperlink: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v574-6498-x57v
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:18 Jul, 2026 | 13:17
Updated At:18 Jul, 2026 | 13:17

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-441Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-441
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.openjsf.org/security-advisories.htmlce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v574-6498-x57vce714d77-add3-4f53-aff5-83d477b104bb
N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v574-6498-x57v
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2026-44494
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-1.04% / 60.15%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 15:32
Updated-17 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

Action-Not Available
Vendor-axiosaxiosRed Hat, Inc.
Product-axiosaxiosRed Hat Advanced Cluster Security for Kubernetes 4.9Red Hat Satellite 6.19Red Hat OpenShift Container Platform 4.21Red Hat Quay 3.16OpenShift PipelinesRed Hat OpenShift Service Mesh 3.3Red Hat OpenShift Container Platform 4.15Red Hat Advanced Cluster Management for Kubernetes 2.14Red Hat OpenShift Service Mesh 3.2Red Hat OpenShift Container Platform 4.22Red Hat Advanced Cluster Management for Kubernetes 2.11Red Hat OpenShift Service Mesh 2.6Red Hat 3scale API Management Platform 2Red Hat Build of Podman Desktop - Tech PreviewRed Hat Discovery 2Red Hat Developer Hub 1.10Red Hat Quay 3.10multicluster engine for Kubernetes 2.6Red Hat Container Native Virtualization 4.14Network Observability OperatorRed Hat Container Native Virtualization 4.13Red Hat OpenShift AI (RHOAI)multicluster engine for Kubernetes 2.9multicluster engine for Kubernetes 2.8Self-service automation portal 2Red Hat Trusted Profile AnalyzerRed Hat OpenShift Service Mesh 3.1Red Hat Advanced Cluster Security for Kubernetes 4.10Red Hat Fuse 7Gatekeeper 3Red Hat Advanced Cluster Management for Kubernetes 2.13Migration Toolkit for ContainersRed Hat build of Apicurio Registry 3Red Hat OpenShift Container Platform 4.19Red Hat Quay 3.9Red Hat OpenShift Container Platform 4.14Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 9Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8OpenShift Service Mesh 3Red Hat Trusted Artifact SignerRed Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat build of Apache Camel - HawtIO 4Red Hat OpenShift Service Mesh 3Cryostat 4Red Hat OpenShift Virtualization 4Red Hat Developer Hub 1.9Red Hat OpenShift Container Platform 4.20Migration Toolkit for Applications 8Red Hat OpenShift Dev Spaces 3.29Red Hat OpenShift Container Platform 4.16Red Hat AMQ Broker 7Red Hat OpenShift Container Platform 4
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-441
Unintended Proxy or Intermediary ('Confused Deputy')
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Details not found