Fastify Reply From Path Traversal Vulnerability Allowing Unauthorized Route Access

A path traversal vulnerability has been identified in the Fastify plugin 'fastify-reply-from', affecting versions through 12.4.0. This vulnerability allows an attacker to access restricted routes by crafting a malicious URL that includes path traversal sequences. The issue arises when 'reply.from' is configured to protect specific routes, but the vulnerability can be exploited to bypass these restrictions and access unauthorized resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to routes and resources that are meant to be protected, potentially exposing sensitive data or functionality.

Reproduction

To reproduce this vulnerability, register the 'fastify-reply-from' plugin with a base URL that points to a resource, such as a file or an API endpoint, that is protected by the plugin. Then, send a request to a route that is not allowed, including a query string that contains path traversal sequences, such as '..' or its URL-encoded equivalent '%2e%2e'. The request will bypass the route restrictions and access the protected resource.

Remediation

Users can upgrade to 'fastify-reply-from' version 12.5.0 or later to address this vulnerability.