Use of Less Trusted Source Affecting fastify package, versions <5.8.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FASTIFY-15762220
- published24 Mar 2026
- disclosed23 Mar 2026
- creditLetaoZhao
Introduced: 23 Mar 2026
NewCVE-2026-3635 (opens in a new tab)How to fix?
Upgrade fastify to version 5.8.3 or higher.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Use of Less Trusted Source in the request.protocol and request.host getters. An attacker can manipulate the perceived protocol and host by sending crafted X-Forwarded-Proto and X-Forwarded-Host headers after bypassing the proxy and connecting directly to the application port, potentially impacting security decisions such as HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, or host-based routing.
Note: This is only exploitable if the application uses the trustProxy option with a restrictive trust function and relies on request.protocol or request.host for security decisions, and the attacker is able to connect directly to the application, bypassing the proxy.