Request Prefix Rewrite Flaw in @fastify/http-proxy by Fastify
CVE-2026-16117

10CRITICAL

Key Information:

Vendor
CVE Published:
18 July 2026

What is CVE-2026-16117?

@fastify/http-proxy versions up to 11.5.0 contain a vulnerability that fails to properly rewrite request prefixes when they are URL-encoded. The Fastify router handles URL-decoding for routing, but the original encoded request.url remains unchanged. This can allow an attacker to craft requests that match routes without applying the necessary rewrites, potentially exposing sensitive upstream paths that should be secured. Users are strongly encouraged to upgrade to version 11.6.0 or later to mitigate this risk.

Affected Version(s)

@fastify/http-proxy 0 < 11.6.0

@fastify/http-proxy 11.6.0

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

tndud042713
mcollina
UlisesGascon
.