fastify-reply-from affected by bypass of reply forwarding
By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.
Advisories for Npm/@Fastify/Reply-From package
2025
2024
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0.