WebSocket Path Traversal Vulnerability in @fastify/http-proxy by Fastify
CVE-2026-15631
What is CVE-2026-15631?
The @fastify/http-proxy package versions 9.4.0 to 11.5.0 exhibit a vulnerability where the WebSocket destination path is not properly validated against the configured rewrite prefix. This allows crafted upgrade requests containing path traversal sequences to potentially escape the rewrite prefix and access upstream endpoints that should remain protected. Although exploitation requires a non-normalizing WebSocket client, such vulnerability can pose a significant risk in specific production environments with raw HTTP clients or proxies forwarding requests without changing them. Users are strongly advised to update to version 11.6.0 or later to mitigate this vulnerability.
Affected Version(s)
@fastify/http-proxy 9.4.0 < 11.6.0
@fastify/http-proxy 11.6.0
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved
