fastify-reply-from affected by bypass of reply forwarding

GHSA-2q7r-29rg-6m5h · CVE-2025-66415

Published Dec 2, 2025 · Modified Dec 2, 2025

Description

Summary

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.

Details

An attacker can bypass the route defined by the @fastify/reply-from package by adding a .. symbol, which, for curl version 8.7.1, is %2e%2e.

Impact

Everyone is using this package with the routes option to protect a 3rd-party resource.

References

WEB https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-66415
WEB https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66
PACKAGE https://github.com/fastify/fastify-reply-from

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes