Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints.
Patches: upgrade to @fastify/http-proxy 11.6.0.
Workarounds: none.
Patches: upgrade to @fastify/http-proxy 11.6.0.
Workarounds: none.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 18 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none. | |
| Title | @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters | |
| Weaknesses | CWE-20 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: openjs
Published:
Updated: 2026-07-18T13:08:40.489Z
Reserved: 2026-07-17T15:40:14.822Z
Link: CVE-2026-16117
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses