PatchSiren cyber security CVE debrief
CVE-2026-16158 @fastify/reply-from CVE debrief
CVE-2026-16158 is a high-severity vulnerability in @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4. The vulnerability allows cross-upstream data access and modification due to improper URL cache key generation. The default configuration is affected, but setting disableCache to true prevents the behavior. A patch is available in version 12.6.4. This vulnerability has significant operational impact and requires immediate attention from users of affected versions.
- Vendor
- @fastify/reply-from
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 should be concerned about this vulnerability as it allows cross-upstream data access and modification. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The vulnerability in @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 is caused by the improper generation of URL cache keys. The internal URL cache key is built by concatenating the destination and source path without a delimiter, allowing different destination and source pairs to produce the same key while resolving to different upstream URLs. This can lead to cross-upstream data access and modification when getUpstream selects an upstream from request data. Users should be aware of the potential risks and take necessary precautions.
Defensive priority
High
Recommended defensive actions
- Upgrade to @fastify/reply-from version 12.6.4 or later
- Set disableCache to true when registering the plugin as a temporary workaround
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-18T13:17:06.030Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify the official advisory and CVE record for more information.
Official resources
-
CVE-2026-16158 CVE record
CVE.org
-
CVE-2026-16158 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T13:17:06.030Z and has not been modified since then.