{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33805", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.714Z", "datePublished": "2026-04-15T10:13:25.147Z", "dateUpdated": "2026-04-15T13:08:12.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T10:13:25.147Z"}, "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later."}]}], "affected": [{"vendor": "@fastify/reply-from", "product": "@fastify/reply-from", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "12.6.2"}, {"versionType": "semver", "status": "unaffected", "version": "12.6.2"}], "packageURL": "pkg:npm/@fastify/reply-from"}, {"vendor": "@fastify/reply-from", "product": "@fastify/http-proxy", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "11.4.4"}, {"versionType": "semver", "status": "unaffected", "version": "11.4.4"}], "packageURL": "pkg:npm/@fastify/http-proxy"}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "title": "@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers", "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N", "baseScore": 9, "baseSeverity": "CRITICAL"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-644", "lang": "en", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:08:08.503908Z", "id": "CVE-2026-33805", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:08:12.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33805", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:08:08.503908Z"}}}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:07:59.414Z"}}], "cna": {"title": "@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers", "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "@fastify/reply-from", "product": "@fastify/reply-from", "versions": [{"status": "affected", "version": "0", "lessThan": "12.6.2", "versionType": "semver"}, {"status": "unaffected", "version": "12.6.2", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/reply-from", "defaultStatus": "unaffected"}, {"vendor": "@fastify/reply-from", "product": "@fastify/http-proxy", "versions": [{"status": "affected", "version": "0", "lessThan": "11.4.4", "versionType": "semver"}, {"status": "unaffected", "version": "11.4.4", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/http-proxy", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "supportingMedia": [{"type": "text/html", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-644", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T10:13:25.147Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33805", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:08:12.612Z", "dateReserved": "2026-03-23T19:48:48.714Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-15T10:13:25.147Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later."}], "id": "CVE-2026-33805", "lastModified": "2026-04-15T14:16:15.507", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-15T11:16:34.990", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-644"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.4.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/http-proxy", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-http-proxy", "vendor": "fastify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.6.2"}}], "original": {"product": "@fastify/reply-from", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-reply-from", "vendor": "fastify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.6.2"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "@fastify/reply-from", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-reply-from", "vendor": "fastify-reply-from_project"}], "analysis": {"en": {"generated_at": "2026-04-15T11:26:14.321847+00:00", "value": {"mitigation_remediation": ["Upgrade @fastify/reply\u2011from to version 12.6.2 or later.", "Upgrade @fastify/http\u2011proxy to version 11.4.4 or later.", "Configure the proxy to reject or remove any Connection header values that attempt to strip headers added by the proxy, ensuring only a whitelisted set of headers can be forwarded."], "summary": {"action": "Immediate Patch", "impact": "Bypass of proxy\u2011added headers used for routing or access control"}, "threat_synthesis": {"affected_systems": "Affected products include the Fastify reply\u2011from plugin up to and including version 12.6.1 and the Fastify http\u2011proxy plugin up to and including version 11.4.3. Both libraries process the Connection header in a way that allows the aforementioned manipulation and must be upgraded to the versions cited in the advisory for remediation.", "description_and_impact": "The vulnerability exists in @fastify/reply\u2011from and @fastify/http\u2011proxy where the library processes the client\u2019s Connection header after the proxy has injected its own headers. This allows an attacker to list those proxy\u2011added headers in the Connection header value, causing the library to strip them from the upstream request. The result is that routing, access\u2011control, or security headers that the proxy added are removed, enabling the attacker to bypass proxy\u2011enforced controls or redirect traffic. This flaw is a form of HTTP header manipulation (CWE\u2011644) that compromises the integrity and confidentiality of requests handled by the proxy.", "risk_and_exploitability": "The advisory assigns a CVSS base score of 9, indicating critical impact. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, but its severity and the straightforward nature of the attack vector make it a high\u2011risk flaw. An attacker only needs to send an HTTP request to the vulnerable proxy service and supply a Connection header that names a proxy\u2011added header; no authentication is required. If the proxy forwards requests to sensitive services, the attacker can effectively remove headers that guard against unauthorized access or enforce routing policies."}}}}, "created": "2026-04-15T13:49:14.855700+00:00", "updated": "2026-04-15T14:53:03.037992+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-http-proxy", "fastify$PRODUCT$fastify-reply-from", "fastify-reply-from_project", "fastify-reply-from_project$PRODUCT$fastify-reply-from"]}