Prefix escape
CVE-2021-21321

10CRITICAL

Key Information:

Vendor

Fastify

Status
Fastify-reply-from
Vendor
CVE Published:
2 March 2021

What is CVE-2021-21321?

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.

Affected Version(s)

fastify-reply-from < 4.0.2

References

https://github.com/fastify/fastify-reply-from/security/ad...
x_refsource_CONFIRM
https://www.npmjs.com/package/fastify-reply-from
x_refsource_MISC
https://github.com/fastify/fastify-reply-from/commit/dea2...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.