Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in a component used for proxying web traffic, specifically related to how URL-encoded request paths are handled. If not properly addressed, an attacker could potentially bypass configured access controls and reach internal or administrative endpoints that were intended to be hidden. The primary concern is to confirm if this specific proxy component is in use and if it is exposed to such bypasses.
- Proxy incorrectly handles encoded web paths.
- Bypass could expose hidden internal endpoints.
- Confirm if exposed and confirm relevance.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this vulnerability by sending a specially crafted URL to a Fastify application using the @fastify/http-proxy middleware. The proxy's mechanism for rewriting request prefixes fails when part of the prefix is URL-encoded. This allows the attacker to bypass the intended rewrite and forward the raw, encoded path to an upstream server. The upstream server then decodes this path, potentially exposing internal or administrative endpoints that were meant to be hidden.
- No authentication or privileges required.
- Triggered by sending an encoded URL prefix.
- Leads to exposure of hidden upstream endpoints.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an attacker to bypass configured proxy rules, potentially exposing internal or administrative endpoints that the proxy was intended to hide. This occurs when the prefix segment in a request is URL-encoded, causing the proxy to forward the raw, encoded path to the upstream server instead of the intended, rewritten path.
- Internal or administrative endpoints could be exposed.
- Attackers could exploit URL encoding and proxy misconfiguration.
- Unauthorized access to sensitive internal services.
Operational Fix
Recommended remediation, mitigation, and detection steps
This critical vulnerability in @fastify/http-proxy could allow unauthenticated attackers to bypass configured rewrite prefixes and access unintended internal or administrative endpoints on upstream services. The primary responsibility for addressing this issue likely falls to the platform or application teams managing Fastify deployments, in coordination with security and network teams to assess exposure. The immediate first step is to inventory all instances of the affected component, determine their reachability and business criticality, and identify the accountable system owners before planning remediation.
- Platform and application teams should own remediation.
- Verify affected instances and their exposure.
- Plan and schedule upgrades during maintenance windows.