CVE-2026-33805— @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33805
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
Source: NVD (National Vulnerability Database)
Vulnerability Description
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对HTTP头部进行脚本语法转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
fastify/reply-from和fastify/http-proxy 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fastify/reply-from和fastify/http-proxy都是Fastify开源的产品。fastify/reply-from是一个插件,用于将传入的 HTTP 请求转发到另一个服务器。fastify/http-proxy是一个全功能 HTTP 代理插件,支持代理 WebSocket 和各种路由重定向。 fastify/reply-from 12.6.1及之前版本和fastify/http-proxy 11.4.3及之前版本存在安全漏洞,该漏洞源于在代理通过rewriteRequestHea
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| @fastify/reply-from | @fastify/reply-from | 0 ~ 12.6.2 | - | |
| @fastify/reply-from | @fastify/http-proxy | 0 ~ 11.4.4 | - |
II. Public POCs for CVE-2026-33805
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33805
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-644
- CVE-2025-66485
Multiple vulnerabilities have been addressed in IBM Aspera S - CVE-2026-33149
Tandoor Recipes Vulnerable to Host Header Injection - CVE-2025-14807
IBM InfoSphere Information Server is vulnerable to HTTP head - CVE-2025-13213
Multiple vulnerabilities in IBM Aspera Orchestrator - CVE-2025-36227
Multiple vulnerabilities in IBM Aspera Faspex
V. Comments for CVE-2026-33805
No comments yet