PatchSiren cyber security CVE debrief
CVE-2026-16117 @fastify/http-proxy CVE debrief
CVE-2026-16117 is a critical vulnerability in @fastify/http-proxy versions up to and including 11.5.0. The issue arises from the failure to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router decodes paths for route matching, but the request.url retains its original encoded form. Consequently, a request encoding one or more characters of the configured prefix matches the route but skips the rewrite. This allows an attacker to reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints.
- Vendor
- @fastify/http-proxy
- Product
- Unknown
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Developers and administrators using @fastify/http-proxy versions up to and including 11.5.0 should be concerned about this vulnerability. This includes those who have applications or services relying on URL prefix rewriting for security or access control. The potential impact is significant as it could allow unauthorized access to internal or administrative endpoints.
Technical summary
The vulnerability in @fastify/http-proxy arises from how it handles URL-encoded prefix segments during the rewriting process. Normally, Fastify's router decodes paths to match routes, but the request URL remains in its original encoded form. The prefix rewriting step uses a literal string replacement against the decoded prefix. If a request encodes characters in the prefix, it will match the route but bypass the rewrite. Consequently, the encoded path is forwarded to the upstream server unchanged. Upon decoding by the upstream server, an attacker could access paths intended to be hidden by the proxy, including internal or administrative endpoints.
Defensive priority
High
Recommended defensive actions
- Upgrade to @fastify/http-proxy version 11.6.0 or later.
- Review and adjust URL prefix rewriting configurations to ensure they are not vulnerable to bypass.
- Implement additional monitoring for unusual or unauthorized access attempts to hidden endpoints.
- Consider compensating controls such as additional authentication or access controls for sensitive endpoints.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Additional sources include OpenJSF security advisories and a GitHub advisory. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments, review official advisories, and monitor for unusual access attempts to hidden endpoints.
Official resources
-
CVE-2026-16117 CVE record
CVE.org
-
CVE-2026-16117 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:11.620Z and has not been modified since then.