CVE-2026-3635: fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

March 25, 2026

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-444r-cwp2-x5xf
github.com/fastify/fastify
github.com/fastify/fastify/releases/tag/v5.8.3
github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
nvd.nist.gov/vuln/detail/CVE-2026-3635
www.cve.org/CVERecord?id=CVE-2026-3635

Code Behaviors & Features

Detect and mitigate CVE-2026-3635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →