CVE-2026-33805: Connection Header Abuse in @fastify/reply-from and @fastify/http-proxy

Vulnerability ID: CVE-2026-33805
CVSS Score: 9.0
Published: 2026-04-16

A logic flaw in the header processing pipeline of @fastify/reply-from and @fastify/http-proxy allows unauthenticated remote attackers to bypass access controls or subvert routing. By manipulating the HTTP Connection header, clients can force the proxy to remove security-critical headers injected by the developer via the rewriteRequestHeaders hook.

TL;DR

A vulnerability in Fastify proxy plugins allows clients to strip proxy-injected security headers by exploiting the RFC 7230 hop-by-hop stripping mechanism, leading to authentication bypasses and header spoofing.

⚠️ Exploit Status: POC

Technical Details

• CVSS Score: 9.0 (Critical)
• Attack Vector: Network
• CWE ID: CWE-644
• Exploit Status: PoC Available
• EPSS Score: 0.00042 (12.75%)
• Authentication: None Required

Affected Systems

• @fastify/reply-from
• @fastify/http-proxy
• Node.js API Gateways
• Fastify Edge Proxies
• @fastify/reply-from: <= 12.6.1 (Fixed in: 12.6.2)
• @fastify/http-proxy: <= 11.4.3 (Fixed in: 11.4.4)

Code Analysis

Commit: c815dc4

Moves Connection header stripping logic before rewriteRequestHeaders invocation to prevent client-controlled deletion of proxy metadata.

Exploit Details

• Provided PoC: Proof of concept script demonstrating stripping of proxy-injected headers using the Connection header.

Mitigation Strategies

• Upgrade Fastify proxy plugins to their patched versions.
• Implement WAF rules to reject HTTP requests containing unexpected tokens in the Connection header.
• Ensure upstream services enforce strict validation of incoming headers and implement default-deny fallback logic.

Remediation Steps:

1. Identify all projects utilizing @fastify/reply-from or @fastify/http-proxy via dependency auditing.
2. Update @fastify/reply-from to >= 12.6.2 using package managers (e.g., npm install @fastify/reply-from@12.6.2).
3. Update @fastify/http-proxy to >= 11.4.4 using package managers.
4. Rebuild and redeploy edge proxy applications.
5. Verify the fix by executing requests with manipulated Connection headers and confirming proxy-added headers persist.

References

• NVD Vulnerability Detail
• GitHub Security Advisory GHSA-gwhp-pf74-vj37
• Fix Commit in fastify-reply-from
• OpenJS Security Bulletin

Read the full report for CVE-2026-33805 on our website for more details including interactive diagrams and full exploit analysis.