WebSocket Path Traversal Vulnerability in @fastify/http-proxy by Fastify
CVE-2026-15631

8.7HIGH

Key Information:

Vendor
CVE Published:
18 July 2026

What is CVE-2026-15631?

The @fastify/http-proxy package versions 9.4.0 to 11.5.0 exhibit a vulnerability where the WebSocket destination path is not properly validated against the configured rewrite prefix. This allows crafted upgrade requests containing path traversal sequences to potentially escape the rewrite prefix and access upstream endpoints that should remain protected. Although exploitation requires a non-normalizing WebSocket client, such vulnerability can pose a significant risk in specific production environments with raw HTTP clients or proxies forwarding requests without changing them. Users are strongly advised to update to version 11.6.0 or later to mitigate this vulnerability.

Affected Version(s)

@fastify/http-proxy 9.4.0 < 11.6.0

@fastify/http-proxy 11.6.0

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Universe-Theori
UlisesGascon
mcollina
teammyinside
climba03003
KuniNogu
.