PatchSiren

@fastify/http-proxy CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL @fastify/http-proxy CVE published 2026-07-18

CVE-2026-16117

CVE-2026-16117 is a critical vulnerability in @fastify/http-proxy versions up to and including 11.5.0. The issue arises from the failure to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router decodes paths for route matching, but the request.url retains its original encoded form. Consequently, a request encoding one or more characters of the configured prefix matches the ro [truncated]