{"url":"http://public2.vulnerablecode.io/api/packages/684451?format=json","purl":"pkg:npm/%40fastify/reply-from@9.5.0","type":"npm","namespace":"@fastify","name":"reply-from","version":"9.5.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"12.6.2","latest_non_vulnerable_version":"12.6.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94774?format=json","vulnerability_id":"VCID-5uuw-wmvr-fbea","summary":"fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66415.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66415.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66415","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09984","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66415"},{"reference_url":"https://github.com/fastify/fastify-reply-from","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify-reply-from"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418149","reference_id":"2418149","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418149"},{"reference_url":"https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66","reference_id":"4d9795cd5b57a36756d37b7f036eae369f69fa66","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:13:33Z/"}],"url":"https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66415","reference_id":"CVE-2025-66415","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66415"},{"reference_url":"https://github.com/advisories/GHSA-2q7r-29rg-6m5h","reference_id":"GHSA-2q7r-29rg-6m5h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2q7r-29rg-6m5h"},{"reference_url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h","reference_id":"GHSA-2q7r-29rg-6m5h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:13:33Z/"}],"url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35652?format=json","purl":"pkg:npm/%40fastify/reply-from@12.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64dm-m6cs-b3ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/reply-from@12.5.0"}],"aliases":["CVE-2025-66415","GHSA-2q7r-29rg-6m5h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5uuw-wmvr-fbea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78338?format=json","vulnerability_id":"VCID-64dm-m6cs-b3ht","summary":"@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33805.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33805.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33805","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04151","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33805"},{"reference_url":"https://github.com/fastify/fastify-reply-from","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify-reply-from"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33805","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33805"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458651","reference_id":"2458651","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458651"},{"reference_url":"https://github.com/advisories/GHSA-gwhp-pf74-vj37","reference_id":"GHSA-gwhp-pf74-vj37","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwhp-pf74-vj37"},{"reference_url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37","reference_id":"GHSA-gwhp-pf74-vj37","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T13:08:08Z/"}],"url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T13:08:08Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373643?format=json","purl":"pkg:npm/%40fastify/reply-from@12.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/reply-from@12.6.2"}],"aliases":["CVE-2026-33805","GHSA-gwhp-pf74-vj37"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64dm-m6cs-b3ht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/131132?format=json","vulnerability_id":"VCID-wxb2-ees6-y3dd","summary":"fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51701","reference_id":"","reference_type":"","scores":[{"value":"0.00229","scoring_system":"epss","scoring_elements":"0.45971","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00229","scoring_system":"epss","scoring_elements":"0.45826","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-51701"},{"reference_url":"https://github.com/fastify/fastify-reply-from","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify-reply-from"},{"reference_url":"https://github.com/fastify/fastify-reply-from/commit/cbd7c17c09e6476268e34f5e499a6b923e8acc18","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify-reply-from/commit/cbd7c17c09e6476268e34f5e499a6b923e8acc18"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51701","reference_id":"CVE-2023-51701","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51701"},{"reference_url":"https://github.com/advisories/GHSA-v2v2-hph8-q5xp","reference_id":"GHSA-v2v2-hph8-q5xp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2v2-hph8-q5xp"},{"reference_url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v2v2-hph8-q5xp","reference_id":"GHSA-v2v2-hph8-q5xp","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:43:47Z/"}],"url":"https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v2v2-hph8-q5xp"},{"reference_url":"https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0","reference_id":"v9.6.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:43:47Z/"}],"url":"https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28287?format=json","purl":"pkg:npm/%40fastify/reply-from@9.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5uuw-wmvr-fbea"},{"vulnerability":"VCID-64dm-m6cs-b3ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/reply-from@9.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/684452?format=json","purl":"pkg:npm/%40fastify/reply-from@10.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5uuw-wmvr-fbea"},{"vulnerability":"VCID-64dm-m6cs-b3ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/reply-from@10.0.0"}],"aliases":["CVE-2023-51701","GHSA-v2v2-hph8-q5xp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wxb2-ees6-y3dd"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/reply-from@9.5.0"}