Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-3635
PUBLISHED
More InfoOfficial Page
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
View Known Exploited Vulnerability (KEV) details
Published At-23 Mar, 2026 | 13:53
Updated At-23 Mar, 2026 | 15:30
Rejected At-
▼CVE Numbering Authority (CNA)
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Affected Products
Vendor
fastify
Product
fastify
Default Status
unaffected
Versions
Affected
  • From 0 through 5.8.2 (semver)
Unaffected
  • 5.8.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-348CWE-348 Use of less trusted source
Type: CWE
CWE ID: CWE-348
Description: CWE-348 Use of less trusted source
Metrics
VersionBase scoreBase severityVector
3.16.1MEDIUM
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
LetaoZhao (TinkAnet)
remediation reviewer
KaKa (climba03003)
remediation reviewer
Matteo Collina
remediation reviewer
Ulises Gascón
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
N/A
https://www.cve.org/CVERecord?id=CVE-2026-3635
N/A
https://cna.openjsf.org/security-advisories.html
N/A
Hyperlink: https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
Resource: N/A
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-3635
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found