fix(deps): update dependency @fastify/http-proxy to v11.4.4 [security] - autoclosed#17315
Closed
renovate[bot] wants to merge 1 commit into
Closed
fix(deps): update dependency @fastify/http-proxy to v11.4.4 [security] - autoclosed#17315renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
11.4.3→11.4.4GitHub Vulnerability Alerts
CVE-2026-33805
Summary
@fastify/reply-fromand@fastify/http-proxyprocess the client'sConnectionheader after the proxy has added its own headers viarewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in theConnectionheader value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.Details
The vulnerability exists in
@fastify/reply-from/lib/request.jsat lines 128-136 (HTTP/1.1 handler) and lines 191-200 (undici handler). The processing flow is:connectionheader (@fastify/reply-from/index.jsline 91)rewriteRequestHeaders(line 151)Connectionheader and strip any headers listed in itrewriteRequestHeaders, allowing clients to target proxy-added headers for removalRFC 7230 Section 6.1 Connection header processing is intended for proxies to strip hop-by-hop headers from incoming requests before adding their own headers. The current implementation reverses this order, processing the client's Connection header after the proxy has already modified the header set.
The call chain:
@fastify/reply-from/index.jsline 91:headers = { ...req.headers }— copies ALL client headers includingconnectionindex.jsline 151:requestHeaders = rewriteRequestHeaders(this.request, headers)— proxy adds custom headers (e.g.,x-forwarded-by)index.jsline 180:requestImpl({...headers: requestHeaders...})— passes headers to transportrequest.jsline 191 (undici):getConnectionHeaders(req.headers)— reads Connection header FROM THE CLIENTrequest.jslines 198-200: Strips headers listed in Connection — including proxy-added headersThis is distinct from the general hop-by-hop forwarding concern — it's specifically about the client controlling which headers get stripped from the upstream request via the Connection header, subverting the proxy's
rewriteRequestHeadersfunction.PoC
Self-contained reproduction with an upstream echo service and a proxy that adds a custom header:
Actual output:
The
x-forwarded-byheader that the proxy explicitly added inrewriteRequestHeadersis stripped before reaching the upstream.Multiple headers can be stripped at once by sending
Connection: x-forwarded-by, x-forwarded-for.Both the undici (default) and HTTP/1.1 transport handlers in
@fastify/reply-fromare affected, as well as@fastify/http-proxywhich delegates to@fastify/reply-from.Impact
Attackers can selectively remove any header added by the proxy's
rewriteRequestHeadersfunction. This enables several attack scenarios:x-internal-auth,x-proxy-token), attackers can strip them to access unauthorized resourcesConnection: authorizationto strip authentication orConnection: x-forwarded-for, x-forwarded-byto remove multiple headers at onceThis vulnerability affects deployments where the proxy adds security-relevant headers that downstream services rely on for access control decisions. It undermines the security model where proxies act as trusted intermediaries adding authentication or routing signals.
Affected Versions
@fastify/reply-from— All versions, both undici (default) and HTTP/1.1 transport handlers@fastify/http-proxy— All versions (delegates to@fastify/reply-from)rewriteRequestHeadersto add headers that could be security-relevantSuggested Fix
The Connection header from the client should be processed and consumed before
rewriteRequestHeadersis called, not after. Alternatively, the Connection header processing inrequest.jsshould maintain a list of headers that existed in the original client request and only strip those, not headers added byrewriteRequestHeaders.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:NFastify's connection header abuse enables stripping of proxy-added headers
CVE-2026-33805 / GHSA-gwhp-pf74-vj37
More information
Details
Summary
@fastify/reply-fromand@fastify/http-proxyprocess the client'sConnectionheader after the proxy has added its own headers viarewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in theConnectionheader value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.Details
The vulnerability exists in
@fastify/reply-from/lib/request.jsat lines 128-136 (HTTP/1.1 handler) and lines 191-200 (undici handler). The processing flow is:connectionheader (@fastify/reply-from/index.jsline 91)rewriteRequestHeaders(line 151)Connectionheader and strip any headers listed in itrewriteRequestHeaders, allowing clients to target proxy-added headers for removalRFC 7230 Section 6.1 Connection header processing is intended for proxies to strip hop-by-hop headers from incoming requests before adding their own headers. The current implementation reverses this order, processing the client's Connection header after the proxy has already modified the header set.
The call chain:
@fastify/reply-from/index.jsline 91:headers = { ...req.headers }— copies ALL client headers includingconnectionindex.jsline 151:requestHeaders = rewriteRequestHeaders(this.request, headers)— proxy adds custom headers (e.g.,x-forwarded-by)index.jsline 180:requestImpl({...headers: requestHeaders...})— passes headers to transportrequest.jsline 191 (undici):getConnectionHeaders(req.headers)— reads Connection header FROM THE CLIENTrequest.jslines 198-200: Strips headers listed in Connection — including proxy-added headersThis is distinct from the general hop-by-hop forwarding concern — it's specifically about the client controlling which headers get stripped from the upstream request via the Connection header, subverting the proxy's
rewriteRequestHeadersfunction.PoC
Self-contained reproduction with an upstream echo service and a proxy that adds a custom header:
Actual output:
The
x-forwarded-byheader that the proxy explicitly added inrewriteRequestHeadersis stripped before reaching the upstream.Multiple headers can be stripped at once by sending
Connection: x-forwarded-by, x-forwarded-for.Both the undici (default) and HTTP/1.1 transport handlers in
@fastify/reply-fromare affected, as well as@fastify/http-proxywhich delegates to@fastify/reply-from.Impact
Attackers can selectively remove any header added by the proxy's
rewriteRequestHeadersfunction. This enables several attack scenarios:x-internal-auth,x-proxy-token), attackers can strip them to access unauthorized resourcesConnection: authorizationto strip authentication orConnection: x-forwarded-for, x-forwarded-byto remove multiple headers at onceThis vulnerability affects deployments where the proxy adds security-relevant headers that downstream services rely on for access control decisions. It undermines the security model where proxies act as trusted intermediaries adding authentication or routing signals.
Affected Versions
@fastify/reply-from— All versions, both undici (default) and HTTP/1.1 transport handlers@fastify/http-proxy— All versions (delegates to@fastify/reply-from)rewriteRequestHeadersto add headers that could be security-relevantSuggested Fix
The Connection header from the client should be processed and consumed before
rewriteRequestHeadersis called, not after. Alternatively, the Connection header processing inrequest.jsshould maintain a list of headers that existed in the original client request and only strip those, not headers added byrewriteRequestHeaders.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
fastify/fastify-http-proxy (@fastify/http-proxy)
v11.4.4Compare Source
This fixes CVE CVE-2026-33805 GHSA-gwhp-pf74-vj37.
What's Changed
Full Changelog: fastify/fastify-http-proxy@v11.4.3...v11.4.4
Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.