@fastify/http-proxy Prefix Escape Vulnerability via URL-Encoding

Vulnerability

A vulnerability exists in @fastify/http-proxy versions through 11.5.0, where the request prefix is not properly rewritten if the prefix segment contains URL-encoded characters. Fastify's routing system decodes URLs for matching purposes, but the original encoded request.url is forwarded to the upstream server without modification. This allows an attacker to access upstream paths that should be hidden by the prefix rewrite, potentially exposing internal or administrative endpoints. The issue arises because the prefix rewrite process uses a literal string replacement, which fails to account for URL encoding.

Impact

Exploitation of this vulnerability allows for path-restriction bypass, with the potential to access sensitive upstream resources, including internal or administrative endpoints, depending on the proxied service.

Remediation

Users are advised to upgrade to @fastify/http-proxy version 11.6.0 or later.

Added: Jul 18, 2026, 2:24 PM
Updated: Jul 18, 2026, 2:24 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
0.6
exploitability
8.1
remediation
7.7
relevance
10.0
threat
0.0
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.