CRITICAL
@fastify/http-proxy
CVE published 2026-07-18
CVE-2026-16117
CVE-2026-16117 is a critical vulnerability in @fastify/http-proxy versions up to and including 11.5.0. The issue arises from the failure to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router decodes paths for route matching, but the request.url retains its original encoded form. Consequently, a request encoding one or more characters of the configured prefix matches the ro [truncated]