External risk intelligence

@fastify/http-proxy URL Encoding Bypass Allows Access to Hidden Endpoints.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-16117

This vulnerability affects an HTTP proxy component commonly used in web applications and API gateway deployments. Such components are typically positioned as internet-facing services to route and manage incoming web traffic, making the proxy's handling of request paths and prefix rewriting a directly internet-reachable surface.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in a component used for proxying web traffic, specifically related to how URL-encoded request paths are handled. If not properly addressed, an attacker could potentially bypass configured access controls and reach internal or administrative endpoints that were intended to be hidden. The primary concern is to confirm if this specific proxy component is in use and if it is exposed to such bypasses.

  • Proxy incorrectly handles encoded web paths.
  • Bypass could expose hidden internal endpoints.
  • Confirm if exposed and confirm relevance.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted URL to a Fastify application using the @fastify/http-proxy middleware. The proxy's mechanism for rewriting request prefixes fails when part of the prefix is URL-encoded. This allows the attacker to bypass the intended rewrite and forward the raw, encoded path to an upstream server. The upstream server then decodes this path, potentially exposing internal or administrative endpoints that were meant to be hidden.

  • No authentication or privileges required.
  • Triggered by sending an encoded URL prefix.
  • Leads to exposure of hidden upstream endpoints.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass configured proxy rules, potentially exposing internal or administrative endpoints that the proxy was intended to hide. This occurs when the prefix segment in a request is URL-encoded, causing the proxy to forward the raw, encoded path to the upstream server instead of the intended, rewritten path.

  • Internal or administrative endpoints could be exposed.
  • Attackers could exploit URL encoding and proxy misconfiguration.
  • Unauthorized access to sensitive internal services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in @fastify/http-proxy could allow unauthenticated attackers to bypass configured rewrite prefixes and access unintended internal or administrative endpoints on upstream services. The primary responsibility for addressing this issue likely falls to the platform or application teams managing Fastify deployments, in coordination with security and network teams to assess exposure. The immediate first step is to inventory all instances of the affected component, determine their reachability and business criticality, and identify the accountable system owners before planning remediation.

  • Platform and application teams should own remediation.
  • Verify affected instances and their exposure.
  • Plan and schedule upgrades during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is @fastify/http-proxy?

This software is a middleware component for the Fastify web framework designed to route and manage web traffic. Developers use it to act as an intermediary, allowing them to forward requests to different backend services while modifying or masking specific URL paths, which helps in organizing API structures or shielding specific administrative endpoints from direct external reach.

What does CWE-20 mean for CVE-2026-16117?

This vulnerability is classified as Improper Input Validation (CWE-20). In the context of this CVE, it means the proxy does not correctly account for how different parts of a web request are interpreted. Because the proxy performs a literal string check that fails when characters are URL-encoded, it mistakenly allows traffic to pass through that should have been caught or modified by the proxy's security rules.

How does an attacker trigger this proxy bypass?

An attacker triggers this by sending a request where the configured prefix contains URL-encoded characters. Because the proxy treats these characters differently than the router does, the rewrite logic fails to match the prefix, causing the proxy to pass the raw request directly to the upstream server. Requests using standard, unencoded paths do not trigger this bypass because the rewrite logic functions correctly in those cases.

Is my system at risk with CVE-2026-16117?

Halo Surface Signal indicates that because @fastify/http-proxy is frequently deployed as an internet-facing gateway, this vulnerability is highly relevant to public-facing applications. You should prioritize assessment if your proxy serves as a gatekeeper for internal or administrative services, as the bug essentially renders those hidden configurations ineffective against crafted requests arriving from the internet.

What should I do if I use this software?

The primary response is to upgrade your @fastify/http-proxy dependency to version 11.6.0. Start by identifying where this component is deployed within your infrastructure and coordinate with your application teams to schedule the update. Since no functional workarounds exist, applying this patch is the only way to ensure the rewrite mechanism properly handles URL-encoded paths.

References