External risk intelligence

Fastify proxy software can be tricked into ignoring security rules allowing attackers control.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-33805

Critical security flaw in Fastify proxy software allows attackers to bypass security rules, potentially exposing services to unauthorized access. Upgrade immediately.

4Halo Surface Signal

Fastify\/http Proxy

before 11.4.4before 12.6.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-33805

The software components are proxy and gateway plugins specifically designed to manage traffic between external clients and backend services. Because these libraries are typically utilized to construct internet-facing web applications, API gateways, and edge services that bridge public internet traffic to internal infrastructure, the vulnerable surface is commonly exposed to the internet by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows attackers to bypass security controls by manipulating the connection header in requests. When used in proxy or gateway scenarios, this could enable unauthorized access or manipulation of upstream services.

  • Bypasses proxy security headers.
  • Impacts services handling external requests.
  • Allows header manipulation.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by manipulating the `Connection` header in requests sent to a vulnerable proxy. This allows them to remove security or routing headers added by the proxy, potentially bypassing access controls or redirecting traffic maliciously. This is effective against systems using @fastify/reply-from or @fastify/http-proxy before patches.

  • Target common proxy plugins.
  • Manipulate `Connection` header.
  • Bypass proxy security controls.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows attackers to bypass security controls by manipulating the `Connection` header to remove proxy-added headers. Attackers may favor weaponizing this since it can strip critical security or routing information, potentially enabling unauthorized access or other malicious actions. The affected libraries are often exposed externally.

  • Exploitable via network access.
  • Public exploit code is not yet available.
  • Libraries are commonly internet-facing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading `@fastify/reply-from` and `@fastify/http-proxy` to versions `v12.6.2` and `v11.4.4` respectively to address the critical vulnerability. If immediate patching is not feasible, implement strict ingress filtering and monitor network traffic for suspicious header manipulation attempts.

  • Upgrade to patched versions.
  • Block or monitor suspicious Connection header usage.
  • Review proxy configurations for header rewrite logic.

Frequently asked questions

What are @fastify/reply-from and @fastify/http-proxy used for in web applications and APIs?

@fastify/reply-from and @fastify/http-proxy are used as intermediaries in web applications and APIs, forwarding client requests to backend services. They are commonly employed in proxy or gateway setups to manage traffic flow between external clients and internal infrastructure.

What type of vulnerability is CVE-2026-33805 and what is its weakness class?

CVE-2026-33805 is a vulnerability classified as Improper Handling of Headers (CWE-644). It occurs when software improperly processes the client's `Connection` header, allowing attackers to remove security headers that a proxy had previously added.

How can an attacker exploit CVE-2026-33805 by manipulating the Connection header?

An attacker can exploit this by manipulating the `Connection` header in requests to a vulnerable proxy. By listing headers added by the proxy in the `Connection` header's value, an attacker can cause these headers to be retroactively stripped from upstream requests, potentially bypassing security controls.

What is the relevance of CVE-2026-33805 given its common usage in internet-facing services?

The relevance of CVE-2026-33805 is heightened because the affected libraries, @fastify/reply-from and @fastify/http-proxy, are frequently used in internet-facing web applications, API gateways, and edge services. This common exposure means a wide range of systems could be vulnerable to attacks that bypass security configurations.

What is the recommended action to address CVE-2026-33805?

The primary action to address this vulnerability is to upgrade `@fastify/reply-from` to version `v12.6.2` or later, and `@fastify/http-proxy` to version `v11.4.4` or later. If immediate upgrades are not possible, monitoring network traffic for suspicious header manipulation is advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified