๐Ÿ” CVE Alert

CVE-2026-16117

CRITICAL 10.0

@fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

CWE CWE-20
Vendor @fastify/http-proxy
Product @fastify/http-proxy
Published Jul 18, 2026
Stay Ahead of the Next One

Get instant alerts for @fastify/http-proxy @fastify/http-proxy

Be the first to know when new critical vulnerabilities affecting @fastify/http-proxy @fastify/http-proxy are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

@fastify/http-proxy / @fastify/http-proxy
0 < 11.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-mx7v-qhg9-2mvv cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” tndud042713 mcollina UlisesGascon