Cross-Upstream Data Access Vulnerability in @fastify/reply-from by Fastify
CVE-2026-16158

8.7HIGH

Key Information:

Vendor
CVE Published:
18 July 2026

What is CVE-2026-16158?

A vulnerability has been identified in versions of @fastify/reply-from from 8.3.1 up to, but not including, 12.6.4. This issue arises from the way the internal URL cache key is built by concatenating the destination and source paths without a delimiter, which can lead to data access and modification issues. Specifically, distinct destination and source pairs may generate identical cache keys, allowing a request meant for one upstream to inadvertently access URL data cached for another upstream. This could result in unintended data exposure or alteration. To mitigate this vulnerability, it is recommended to upgrade to version 12.6.4 or later, or to configure the plugin with disableCache set to true.

Affected Version(s)

@fastify/reply-from 8.3.1 < 12.6.4

@fastify/reply-from 12.6.4

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HamdaanAliQuatil
mcollina
UlisesGascon
climba03003
.