Request Prefix Rewrite Flaw in @fastify/http-proxy by Fastify
CVE-2026-16117
10CRITICAL
What is CVE-2026-16117?
@fastify/http-proxy versions up to 11.5.0 contain a vulnerability that fails to properly rewrite request prefixes when they are URL-encoded. The Fastify router handles URL-decoding for routing, but the original encoded request.url remains unchanged. This can allow an attacker to craft requests that match routes without applying the necessary rewrites, potentially exposing sensitive upstream paths that should be secured. Users are strongly encouraged to upgrade to version 11.6.0 or later to mitigate this risk.
Affected Version(s)
@fastify/http-proxy 0 < 11.6.0
@fastify/http-proxy 11.6.0
