GCVE - cpe:2.3:a:fastify:fastify-reply-from:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:fastify:fastify-reply-from:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Fastify (`51747187-798b-5030-972d-b19db43759b4`)
Product	Fastify Reply From (`7142d334-54b5-5e39-9765-8808bd99805f`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-66415`	vulnerable	2026-06-03 15:11:00.475432	fastify-reply-from bypass of reply forwarding fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0. Published: 2025-12-01T22:39:32.468Z Updated: 2025-12-02T14:13:45.644Z Open on db.gcve.eu Reference links https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-51701`	vulnerable	2026-06-03 14:53:38.307392	@fastify-reply-from JSON Content-Type parsing confusion MEDIUM (5.3) fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0. Published: 2024-01-08T13:55:05.071Z Updated: 2025-06-03T14:37:39.150Z Open on db.gcve.eu Reference links https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v2v2-hph8-q5xp https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-21321`	vulnerable	2026-06-03 14:43:44.312586	Prefix escape CRITICAL (10) fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2. Published: 2021-03-02T03:35:25.000Z Updated: 2024-08-03T18:09:15.260Z Open on db.gcve.eu Reference links https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4 https://www.npmjs.com/package/fastify-reply-from https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.