Advisories for Npm/@Fastify/Reply-From package

2026

Fastify's connection header abuse enables stripping of proxy-added headers

@fastify/reply-from and @fastify/http-proxy process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.

2025

fastify-reply-from affected by bypass of reply forwarding

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.

2024

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0.