{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33805", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.714Z", "datePublished": "2026-04-15T10:13:25.147Z", "dateUpdated": "2026-04-15T13:08:12.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T10:13:25.147Z"}, "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later."}]}], "affected": [{"vendor": "@fastify/reply-from", "product": "@fastify/reply-from", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "12.6.2"}, {"versionType": "semver", "status": "unaffected", "version": "12.6.2"}], "packageURL": "pkg:npm/@fastify/reply-from"}, {"vendor": "@fastify/reply-from", "product": "@fastify/http-proxy", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "11.4.4"}, {"versionType": "semver", "status": "unaffected", "version": "11.4.4"}], "packageURL": "pkg:npm/@fastify/http-proxy"}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "title": "@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers", "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N", "baseScore": 9, "baseSeverity": "CRITICAL"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-644", "lang": "en", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:08:08.503908Z", "id": "CVE-2026-33805", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:08:12.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33805", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:08:08.503908Z"}}}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:07:59.414Z"}}], "cna": {"title": "@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers", "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "@fastify/reply-from", "product": "@fastify/reply-from", "versions": [{"status": "affected", "version": "0", "lessThan": "12.6.2", "versionType": "semver"}, {"status": "unaffected", "version": "12.6.2", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/reply-from", "defaultStatus": "unaffected"}, {"vendor": "@fastify/reply-from", "product": "@fastify/http-proxy", "versions": [{"status": "affected", "version": "0", "lessThan": "11.4.4", "versionType": "semver"}, {"status": "unaffected", "version": "11.4.4", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/http-proxy", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "supportingMedia": [{"type": "text/html", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-644", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T10:13:25.147Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33805", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:08:12.612Z", "dateReserved": "2026-03-23T19:48:48.714Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-15T10:13:25.147Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later."}], "id": "CVE-2026-33805", "lastModified": "2026-04-17T15:09:46.880", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-15T11:16:34.990", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-644"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "@fastify/reply-from: @fastify/http-proxy: Fastify Reply From and HTTP Proxy: Security bypass via Connection header manipulation", "id": "2458651", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458651"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in @fastify/reply-from and @fastify/http-proxy. A remote attacker can exploit this vulnerability by manipulating the Connection header in client requests. This allows the attacker to remove specific headers that the proxy has added for security, routing, or access control purposes. Consequently, an attacker could bypass security mechanisms or gain unauthorized access to resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33805", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-maas-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-04-15T10:13:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33805\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33805\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"], "statement": "An Important flaw exists in @fastify/reply-from and @fastify/http-proxy, allowing a remote attacker to bypass security, routing, or access control mechanisms. This is achieved by manipulating the Connection header in client requests, which can remove critical proxy-added headers. If reply-from or http-proxy are being used to add security relevant headers the attacker may be able to remove such information resulting in authentication bypass, privilege escalations or the possibility of jeopardize any further security control which depends on the removed request headers. This vulnerability have a high attack complexity rate as the attacker needs to intercept the communication between the client and the server to be able to manipulate the headers.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.4.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/http-proxy", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-http-proxy", "vendor": "fastify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.6.2"}}], "original": {"product": "@fastify/reply-from", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-reply-from", "vendor": "fastify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.6.2"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "@fastify/reply-from", "source": "cna", "vendor": "@fastify/reply-from"}, "product": "fastify-reply-from", "vendor": "fastify-reply-from_project"}], "analysis": {"en": {"generated_at": "2026-04-17T08:25:35.447824+00:00", "value": {"mitigation_remediation": ["Upgrade @fastify/reply\u2011from to version 12.6.2 or later.", "Upgrade @fastify/http\u2011proxy to version 11.4.4 or later.", "Configure the proxy to reject or remove any Connection header values that attempt to strip headers added by the proxy, ensuring only a whitelisted set of headers can be forwarded."], "summary": {"action": "Immediate Patch", "impact": "Bypass of proxy\u2011added headers used for routing or access control"}, "threat_synthesis": {"affected_systems": "Affected products include the Fastify reply\u2011from plugin up to and including version 12.6.1 and the Fastify http\u2011proxy plugin up to and including version 11.4.3. Both libraries process the Connection header in a way that allows the aforementioned manipulation and must be upgraded to the versions cited in the advisory for remediation.", "description_and_impact": "The vulnerability exists in @fastify/reply\u2011from and @fastify/http\u2011proxy where the library processes the client\u2019s Connection header after the proxy has injected its own headers. This allows an attacker to list those proxy\u2011added headers in the Connection header value, causing the library to strip them from the upstream request. The result is that routing, access\u2011control, or security headers that the proxy added are removed, enabling the attacker to bypass proxy\u2011enforced controls or redirect traffic. This flaw is a form of HTTP header manipulation (CWE\u2011644) and header injection that can lead to header spoofing or denial of service (CWE\u2011444), compromising the integrity and confidentiality of requests handled by the proxy.", "risk_and_exploitability": "The advisory assigns a CVSS base score of 9, indicating critical impact. This vulnerability has an EPSS score of <1% (approximately 0.04%), indicating a very low exploitation probability, and it is not listed in the CISA KEV catalog. The severity combined with the straightforward attack vector remains a high\u2011risk flaw. An attacker only needs to send an HTTP request to the vulnerable proxy service and supply a Connection header that names a proxy\u2011added header; no authentication is required. If the proxy forwards requests to sensitive services, the attacker can effectively remove headers that guard against unauthorized access or enforce routing policies."}}}}, "created": "2026-04-15T13:49:14.855700+00:00", "updated": "2026-04-17T08:30:13.701244+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-http-proxy", "fastify$PRODUCT$fastify-reply-from", "fastify-reply-from_project", "fastify-reply-from_project$PRODUCT$fastify-reply-from"]}