PatchSiren cyber security CVE debrief
CVE-2026-33805 @fastify/reply-from CVE debrief
CVE-2026-33805 is a critical vulnerability in Fastify's proxy packages where the client's Connection header is processed after proxy-added headers are applied via rewriteRequestHeaders. This ordering flaw allows attackers to retroactively strip headers added by the proxy for routing, access control, or security purposes by listing them in the Connection header value. The vulnerability affects @fastify/reply-from versions prior to 12.6.2 and @fastify/http-proxy versions prior to 11.4.4, with the latter being affected due to its delegation to @fastify/reply-from. The issue was published on April 15, 2026, and last modified on June 1, 2026. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact on integrity of the vulnerable system and confidentiality/integrity of subsequent systems.
- Vendor
- @fastify/reply-from
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-15
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-04-15
- Advisory updated
- 2026-06-01
Who should care
Organizations using @fastify/reply-from or @fastify/http-proxy as reverse proxies, API gateways, or request forwarding layers in Node.js applications. Security teams responsible for proxy infrastructure, header-based access controls, or request routing logic. Development teams maintaining Fastify-based microservices or edge proxy deployments.
Technical summary
The vulnerability exists because @fastify/reply-from processes the Connection header after rewriteRequestHeaders has been executed. Per HTTP specification, the Connection header can list header names that should not be forwarded by proxies. By including proxy-added header names in the Connection header, a client can cause those headers to be removed from the upstream request. This undermines any security, routing, or access control headers added by the proxy, potentially allowing request smuggling, authentication bypass, or routing manipulation. @fastify/http-proxy inherits this vulnerability as it delegates to @fastify/reply-from for request forwarding functionality.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade @fastify/reply-from to version 12.6.2 or later
- Upgrade @fastify/http-proxy to version 11.4.4 or later
- If immediate patching is not possible, review and implement additional upstream validation of headers intended for security or access control purposes
- Audit proxy configurations to identify headers added via rewriteRequestHeaders that could be targeted for removal
- Monitor for anomalous Connection header values in incoming requests to proxy endpoints
Evidence notes
The NVD record identifies affected CPEs for fastify:reply-from (versions before 12.6.2) and fastify:fastify/http-proxy (versions before 11.4.4). The GitHub Security Advisory (GHSA-gwhp-pf74-vj37) is tagged as containing exploit details, mitigation guidance, and vendor advisory information. The weakness is classified as CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax).
Official resources
-
CVE-2026-33805 CVE record
CVE.org
-
CVE-2026-33805 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Exploit, Mitigation, Vendor Advisory
2026-04-15