Primary

Context

Fastify Trust Proxy Vulnerability Allows Request Header Spoofing from Untrusted Connections

Vulnerability

Patched

A vulnerability exists in Fastify versions through 5.8.2 when the trustProxy setting is configured with a restrictive trust function. In this scenario, the request.protocol and request.host getters can be manipulated to read the X-Forwarded-Proto and X-Forwarded-Host headers from untrusted connections. This exploitation allows an attacker to spoof the protocol and host information seen by the application, potentially bypassing security measures that rely on these headers.

Impact

This vulnerability can lead to security decisions being based on spoofed header information, which could undermine HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, and host-based routing.

Remediation

Users can upgrade to Fastify version 5.8.3 or later to address this vulnerability.

Added: Mar 23, 2026, 2:25 PM

Updated: Mar 23, 2026, 2:25 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.4

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.4

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fastify Trust Proxy Vulnerability Allows Request Header Spoofing from Untrusted Connections

Vulnerability

Impact

Remediation

Affected Products

fastify

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating