EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in various packages used by Fastify, a popular Node.js web framework. Affected software includes fastify/reply-from, fastify/http-proxy, and fastify/express. The vulnerabilities range from critical remote code execution (RCE) and cross-site scripting (XSS) to authentication bypass via URL normalization gaps (duplicate slashes and semicolons). Business risk and impact are significant, as these vulnerabilities can be exploited by attackers to compromise sensitive data, disrupt services, or gain unauthorized access to systems. Users of Fastify applications are advised to upgrade to the latest patched versions of these packages to mitigate these risks.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in various packages used by Fastify, a popular Node.js web framework. Affected software includes fastify/reply-from, fastify/http-proxy, and fastify/express. The vulnerabilities range from critical remote code execution (RCE) and cross-site scripting (XSS) to authentication bypass via URL normalization gaps (duplicate slashes and semicolons). Business risk and impact are significant, as these vulnerabilities can be exploited by attackers to compromise sensitive data, disrupt services, or gain unauthorized access to systems. Users of Fastify applications are advised to upgrade to the latest patched versions of these packages to mitigate these risks.[emaillocker id="1283"]
CVE-2026-33805 with a CVSS score of 9.0 – This vulnerability enables stripping of proxy-added headers from upstream requests by listing them in the Connection header value. Attackers can exploit this to retroactively remove headers added by proxies for routing, access control, or security purposes. This affects applications using fastify/reply-from and fastify/http-proxy with custom header injection for routing, access control, or security purposes.
CVE-2026-33807 with a CVSS score of 9.1 – This critical vulnerability allows complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. An unauthenticated attacker can access protected routes by manipulating the URL path. This affects applications using fastify/express v4.0.4 or earlier.
CVE-2026-33808 with a CVSS score of 9.1 – This critical vulnerability fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes or semicolon delimiters. In both cases, Fastify's router normalizes the URL and matches the route, but fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. This affects applications using fastify/express v4.0.4 or earlier.
The exploitation of these vulnerabilities can have severe consequences, including data breaches, unauthorized access to systems, and disruption of services. It is essential that users of Fastify applications take immediate action to mitigate these risks by upgrading to the latest patched versions of the affected packages.
RECOMMENDATION:
We recommend you to update fastify/reply-from to version 12.6.2, fastify/http-proxy to version 11.4.4 or fastify/express to version 4.0.5.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-gwhp-pf74-vj37
https://github.com/advisories/GHSA-hrwm-hgmj-7p9c
https://github.com/advisories/GHSA-6hw5-45gm-fj88