CVE-2026-16117
@fastify · http-proxy
The @fastify/http-proxy package fails to correctly rewrite request prefixes when URL-encoded, allowing attackers to bypass configured path restrictions and access sensitive internal endpoints.
Executive summary
A critical input validation flaw in @fastify/http-proxy allows attackers to bypass prefix-based security controls and access unauthorized internal or administrative upstream endpoints.
Vulnerability
This is an improper input validation vulnerability (CWE-20). By using URL-encoded segments in a request, an attacker can trick the proxy into matching a route while failing to perform the intended prefix rewrite, causing the raw path to be forwarded to the upstream server.
Business impact
By bypassing rewrite rules, an attacker can reach administrative or internal endpoints that the proxy was intended to hide. This can lead to unauthorized data exposure or administrative action within the upstream services. With a CVSS score of 10.0, this vulnerability carries maximum severity, as it facilitates unauthorized access to potentially sensitive internal systems.
Remediation
Immediate Action: Upgrade the @fastify/http-proxy package to version 11.6.0 or later to ensure proper path normalization and prefix rewriting.
Proactive Monitoring: Review proxy access logs for requests containing URL-encoded characters that attempt to access restricted or sensitive paths.
Compensating Controls: Implement strict request filtering at the application layer or via a WAF to block requests that contain suspicious or double-encoded path segments.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this flaw, immediate dependency updates are required for all applications utilizing the @fastify/http-proxy package. Ensure that testing includes verifying that path-based access controls remain intact after the update.