๐Ÿ” CVE Alert

CVE-2026-15631

HIGH 8.7

@fastify/http-proxy vulnerable to prefix escape via WebSocket path traversal

CVSS Score
8.7
EPSS Score
0.0%
EPSS Percentile
0th

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

CWE CWE-22
Vendor @fastify/http-proxy
Product @fastify/http-proxy
Published Jul 18, 2026
Stay Ahead of the Next One

Get instant alerts for @fastify/http-proxy @fastify/http-proxy

Be the first to know when new high vulnerabilities affecting @fastify/http-proxy @fastify/http-proxy are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

@fastify/http-proxy / @fastify/http-proxy
9.4.0 < 11.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-7hrw-592w-9wh2 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” Universe-Theori UlisesGascon mcollina ๐Ÿ” teammyinside climba03003 ๐Ÿ” KuniNogu