CVE-2026-15631
Fastify · @fastify/http-proxy
A path traversal vulnerability in @fastify/http-proxy allows unauthenticated remote attackers to access restricted directory structures on the host system.
Executive summary
A path traversal vulnerability in the @fastify/http-proxy package poses a high risk of unauthorized file system access due to improper input validation.
Vulnerability
This is a path traversal vulnerability (CWE-22) occurring within the proxy module. It allows an unauthenticated attacker to manipulate file paths and potentially access sensitive data outside of the intended directory.
Business impact
Successful exploitation allows unauthorized access to sensitive files on the underlying server, which could lead to full system compromise or the exposure of proprietary configuration data. With a CVSS score of 8.7, this vulnerability is classified as high severity, reflecting the potential for significant impact on confidentiality and integrity.
Remediation
Immediate Action: Update the @fastify/http-proxy package to version 11.6.0 or later to include the necessary path validation logic.
Proactive Monitoring: Review application access logs for suspicious URL patterns containing directory traversal sequences, such as dot-dot-slash (../) strings, targeting the proxy endpoint.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block incoming requests containing directory traversal characters directed at the proxy service.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the critical nature of path traversal vulnerabilities in proxy components, immediate patching is required. Organizations should prioritize updating to version 11.6.0 to eliminate the vulnerability and prevent potential unauthorized access to the host file system.