Unauthenticated Route Access in Fastify Reply From Plugin
CVE-2025-66415

6.9MEDIUM

Key Information:

Vendor: Fastify
Status: Fastify-reply-from
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66415?

The fastify-reply-from plugin, utilized for forwarding HTTP requests in Fastify applications, contains a vulnerability that permits attackers to exploit crafted URLs to access restricted routes. This issue, existing in versions prior to 12.5.0, undermines the security model by allowing unauthorized interactions with server endpoints, thereby exposing sensitive information. The vulnerability has been addressed in version 12.5.0, where the plugin enforces stricter route validation to mitigate such risks.

Affected Version(s)

fastify-reply-from < 12.5.0

References

https://github.com/fastify/fastify-reply-from/security/ad...

x_refsource_CONFIRM

https://github.com/fastify/fastify-reply-from/commit/4d97...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 28, 2025

CVE-2025-66415 Data

JSON