DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33805: CVE-2026-33805: Connection Header Abuse in @fastify/reply-from and @fastify/http-proxy

#security #cve #cybersecurity

CVE-2026-33805: Connection Header Abuse in @fastify/reply-from and @fastify/http-proxy

Vulnerability ID: CVE-2026-33805
CVSS Score: 9.0
Published: 2026-04-16

A logic flaw in the header processing pipeline of @fastify/reply-from and @fastify/http-proxy allows unauthenticated remote attackers to bypass access controls or subvert routing. By manipulating the HTTP Connection header, clients can force the proxy to remove security-critical headers injected by the developer via the rewriteRequestHeaders hook.

TL;DR

A vulnerability in Fastify proxy plugins allows clients to strip proxy-injected security headers by exploiting the RFC 7230 hop-by-hop stripping mechanism, leading to authentication bypasses and header spoofing.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 9.0 (Critical)
  • Attack Vector: Network
  • CWE ID: CWE-644
  • Exploit Status: PoC Available
  • EPSS Score: 0.00042 (12.75%)
  • Authentication: None Required

Affected Systems

  • @fastify/reply-from
  • @fastify/http-proxy
  • Node.js API Gateways
  • Fastify Edge Proxies
  • @fastify/reply-from: <= 12.6.1 (Fixed in: 12.6.2)
  • @fastify/http-proxy: <= 11.4.3 (Fixed in: 11.4.4)

Code Analysis

Commit: c815dc4

Moves Connection header stripping logic before rewriteRequestHeaders invocation to prevent client-controlled deletion of proxy metadata.

Exploit Details

  • Provided PoC: Proof of concept script demonstrating stripping of proxy-injected headers using the Connection header.

Mitigation Strategies

  • Upgrade Fastify proxy plugins to their patched versions.
  • Implement WAF rules to reject HTTP requests containing unexpected tokens in the Connection header.
  • Ensure upstream services enforce strict validation of incoming headers and implement default-deny fallback logic.

Remediation Steps:

  1. Identify all projects utilizing @fastify/reply-from or @fastify/http-proxy via dependency auditing.
  2. Update @fastify/reply-from to >= 12.6.2 using package managers (e.g., npm install @fastify/reply-from@12.6.2).
  3. Update @fastify/http-proxy to >= 11.4.4 using package managers.
  4. Rebuild and redeploy edge proxy applications.
  5. Verify the fix by executing requests with manipulated Connection headers and confirming proxy-added headers persist.

References

Read the full report for CVE-2026-33805 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)