CVE-2026-3635— Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3635
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Source: NVD (National Vulnerability Database)
Vulnerability Description
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用不可信的源
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fastify 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fastify是Fastify开源的一个 Web 框架。 fastify 5.8.2及之前版本存在安全漏洞,该漏洞源于当trustProxy配置为限制性信任函数时,request.protocol和request.host会读取来自任何连接的X-Forwarded-Proto和X-Forwarded-Host标头,可能导致攻击者绕过代理并欺骗应用程序看到的协议和主机。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-3635
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3635
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: fastify
- CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3419
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malf - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali - CVE-2026-25224
Fastify Vulnerable to DoS via Unbounded Memory Allocation in - CVE-2025-32442
Fastify vulnerable to invalid content-type parsing, which co
Same vendor: fastify
- CVE-2026-33807
@fastify/express vulnerable to middleware path doubling caus - CVE-2026-33808
@fastify/express vulnerable to middleware authentication byp - CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3419
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malf - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali
V. Comments for CVE-2026-3635
No comments yet