CVE-2026-16158
Fastify · @fastify/reply-from
The @fastify/reply-from package contains a vulnerability that allows for unintended proxy interactions, functioning as a confused deputy.
Executive summary
A critical vulnerability in the @fastify/reply-from package enables unauthorized proxy behavior, posing a significant risk of data and integrity compromise.
Vulnerability
The software is susceptible to a confused deputy vulnerability (CWE-441), where an unauthenticated remote attacker can exploit the proxy or intermediary functionality to perform unauthorized actions.
Business impact
The CVSS score of 8.7 reflects the high severity of this flaw, which allows for unauthorized data access and manipulation. If exploited, an attacker could bypass internal access controls, leading to potential data exfiltration or the alteration of sensitive application states. This poses a severe risk to the confidentiality and integrity of the underlying service infrastructure.
Remediation
Immediate Action: Upgrade to version 12.6.4 or later of @fastify/reply-from to incorporate the necessary security patches.
Proactive Monitoring: Monitor network traffic and application logs for unusual proxy requests or unexpected outbound connections originating from the application.
Compensating Controls: Implement strict network ingress and egress filtering to limit the scope of proxy requests, and deploy a Web Application Firewall to block suspicious request patterns.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the high CVSS severity, administrators should prioritize updating the affected dependency immediately. Ensuring that the application environment is running the latest patched version is the most effective way to eliminate the risk of unauthorized proxy manipulation.