A high-severity vulnerability in Fastify proxy plugins enables attackers to bypass security mechanisms via header manipulation.

This vulnerability allows attackers to retroactively strip proxy-added headers from upstream requests by manipulating the client's Connection header, potentially bypassing security mechanisms or gaining unauthorized access.

With a CVSS score of 8.6, this flaw poses a significant risk to applications relying on these proxy plugins for security header injection. Bypassing these headers could lead to unauthorized access to downstream services, potentially exposing sensitive data.

Immediate Action: Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.

Proactive Monitoring: Monitor logs for requests with irregular Connection headers or signs of header stripping in proxy traffic.

Compensating Controls: Use a WAF to validate and sanitize the Connection header of incoming requests before they reach the proxy.

Public Exploit Available: true

Because a public exploit is available, this vulnerability should be treated with extreme urgency. Developers must update their Fastify dependencies to the latest versions to mitigate the risk of header-based security bypasses.