CRITICAL
@fastify/reply-from
CVE published 2026-04-15
CVE-2026-33805
CVE-2026-33805 is a critical vulnerability in Fastify's proxy packages where the client's Connection header is processed after proxy-added headers are applied via rewriteRequestHeaders. This ordering flaw allows attackers to retroactively strip headers added by the proxy for routing, access control, or security purposes by listing them in the Connection header value. The vulnerability affects @fastify/rep [truncated]