Fastify proxy plugins patch Connection header security bypass
TL;DR — A header-processing order bug lets attackers use the HTTP Connection header to remove proxy-injected security and routing headers before requests reach upstream services.
What happened
@fastify/reply-from is a Fastify plugin commonly used to build reverse proxies by forwarding requests to upstream services; @fastify/http-proxy builds on it.
CVE-2026-33805 reports that these plugins process the client-supplied Connection header after the proxy has already added headers via rewriteRequestHeaders. Because Connection is used to indicate hop-by-hop headers that should be stripped, an attacker can list any proxy-injected header name in Connection and cause it to be removed from the upstream request.
| Item | Source value |
|---|---|
| Weakness | CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax) |
| Severity | CVSS v4.0 9.0 (Critical) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N |
Why this matters: many internal architectures implicitly trust “edge-added” headers for authn/authz, tenant routing, or policy decisions. Any bug that lets an external client selectively remove those headers turns the proxy into an access-control footgun.
Who is impacted
- Services using
@fastify/reply-fromto forward requests to upstreams and relying onrewriteRequestHeadersto inject headers used for routing, access control, or security purposes. - Services using
@fastify/http-proxy, since it delegates to@fastify/reply-from.
| Package | Affected | Patched |
|---|---|---|
@fastify/reply-from | < 12.6.2 | 12.6.2 |
@fastify/http-proxy | < 11.4.4 | 11.4.4 |
Exploit shape is straightforward: send a request with Connection: <header-name> (or a comma-separated list) targeting headers the proxy expects to be present upstream.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later."
- Inventory services that act as “trusted proxies” (BFFs, API gateways, internal reverse proxies) and identify where
rewriteRequestHeadersis used to add security-relevant headers. - Treat this as a proxy trust-boundary failure: review downstream services that make authorization/routing decisions based on headers expected to be injected by the proxy, and ensure monitoring/alerting is in place for anomalous upstream requests missing those headers.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.