CVE-2026-33805

UNKNOWN 0.0

@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.

CWE	CWE-644
Vendor	@fastify/reply-from
Product	@fastify/reply-from
Published	Apr 15, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for @fastify/reply-from @fastify/reply-from

Be the first to know when new unknown vulnerabilities affecting @fastify/reply-from @fastify/reply-from are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

@fastify/reply-from / @fastify/reply-from

0 < 12.6.2

@fastify/reply-from / @fastify/http-proxy

0 < 11.4.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

🔍 FredKSchott mcollina UlisesGascon climba03003