PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16158 @fastify/reply-from CVE debrief

CVE-2026-16158 is a high-severity vulnerability in @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4. The vulnerability allows cross-upstream data access and modification due to improper URL cache key generation. The default configuration is affected, but setting disableCache to true prevents the behavior. A patch is available in version 12.6.4. This vulnerability has significant operational impact and requires immediate attention from users of affected versions.

Vendor
@fastify/reply-from
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 should be concerned about this vulnerability as it allows cross-upstream data access and modification. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability in @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 is caused by the improper generation of URL cache keys. The internal URL cache key is built by concatenating the destination and source path without a delimiter, allowing different destination and source pairs to produce the same key while resolving to different upstream URLs. This can lead to cross-upstream data access and modification when getUpstream selects an upstream from request data. Users should be aware of the potential risks and take necessary precautions.

Defensive priority

High

Recommended defensive actions

  • Upgrade to @fastify/reply-from version 12.6.4 or later
  • Set disableCache to true when registering the plugin as a temporary workaround
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-18T13:17:06.030Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify the official advisory and CVE record for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T13:17:06.030Z and has not been modified since then.