๐Ÿ” CVE Alert

CVE-2026-16158

HIGH 8.7

@fastify/reply-from vulnerable to cross-upstream request routing via URL cache key collision

CVSS Score
8.7
EPSS Score
0.0%
EPSS Percentile
0th

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.

CWE CWE-441
Vendor @fastify/reply-from
Product @fastify/reply-from
Published Jul 18, 2026
Stay Ahead of the Next One

Get instant alerts for @fastify/reply-from @fastify/reply-from

Be the first to know when new high vulnerabilities affecting @fastify/reply-from @fastify/reply-from are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

@fastify/reply-from / @fastify/reply-from
8.3.1 < 12.6.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v574-6498-x57v cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” HamdaanAliQuatil mcollina UlisesGascon climba03003