ByteOS Network

fastify-reply-from

Source -

CNANVD

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

0Vulnerabilities found

CVE-2023-51701

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-5.3||MEDIUM

EPSS-0.23% / 45.59%

7 Day CHG~0.00%

Published-08 Jan, 2024 | 13:55

Updated-03 Jun, 2025 | 14:37

@fastify-reply-from JSON Content-Type parsing confusion

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0.

Vendor-fastify fastify

Product-reply-from fastify-reply-from

CWE ID-CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE-2021-21321

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-10||CRITICAL

EPSS-0.45% / 62.76%

7 Day CHG~0.00%

Published-02 Mar, 2021 | 03:35

Updated-03 Aug, 2024 | 18:09

Prefix escape

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.

Vendor-fastify-reply-from_project fastify

Product-fastify-reply-from fastify-reply-from

CWE ID-CWE-20

Improper Input Validation