{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/proxy-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["fastify","header stripping","proxy vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e libraries are vulnerable to a header stripping attack. This vulnerability stems from the incorrect processing order of the \u003ccode\u003eConnection\u003c/code\u003e header. The client\u0026rsquo;s \u003ccode\u003eConnection\u003c/code\u003e header is processed \u003cem\u003eafter\u003c/em\u003e the proxy has added custom headers via the \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e function. This allows an attacker to retroactively remove headers added by the proxy by simply listing them in the \u003ccode\u003eConnection\u003c/code\u003e header. This affects any application leveraging these plugins where custom headers are injected for routing, access control, or other security purposes. All versions of both \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e are affected. The vulnerability can be exploited without any special configuration. This undermines the intended function of a proxy as a trusted intermediary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA client crafts a request containing a \u003ccode\u003eConnection\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe client sends the crafted request to a Fastify proxy server using \u003ccode\u003e@fastify/reply-from\u003c/code\u003e or \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe proxy receives the request and copies all client headers, including the \u003ccode\u003eConnection\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe proxy, using \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e, adds custom headers (e.g., \u003ccode\u003ex-forwarded-by\u003c/code\u003e) to the request.\u003c/li\u003e\n\u003cli\u003eThe proxy\u0026rsquo;s transport handler processes the \u003ccode\u003eConnection\u003c/code\u003e header from the client.\u003c/li\u003e\n\u003cli\u003eHeaders listed in the client\u0026rsquo;s \u003ccode\u003eConnection\u003c/code\u003e header, including proxy-added headers, are stripped from the upstream request.\u003c/li\u003e\n\u003cli\u003eThe modified request, with stripped headers, is forwarded to the upstream server.\u003c/li\u003e\n\u003cli\u003eThe upstream server receives the request with missing headers, potentially bypassing security checks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls implemented by the proxy. This includes bypassing proxy identification, circumventing access control mechanisms, and removing arbitrary headers. For example, an attacker can strip headers like \u003ccode\u003ex-forwarded-by\u003c/code\u003e to avoid detection, or remove authentication headers like \u003ccode\u003eauthorization\u003c/code\u003e or custom access control headers like \u003ccode\u003ex-internal-auth\u003c/code\u003e to gain unauthorized access to resources. The number of victims depends on the prevalence of vulnerable Fastify deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to patched versions of \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e when available.\u003c/li\u003e\n\u003cli\u003eAs a workaround, avoid using \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e to inject security-critical headers into requests.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject requests containing a \u003ccode\u003eConnection\u003c/code\u003e header that attempts to remove security-sensitive headers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing \u003ccode\u003eConnection\u003c/code\u003e headers listing custom or security-related headers as a sign of potential exploitation (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:02:59Z","date_published":"2026-04-16T01:02:59Z","id":"/briefs/2026-04-fastify-header-strip/","summary":"The `@fastify/reply-from` and `@fastify/http-proxy` libraries process the client's `Connection` header after adding headers, allowing attackers to strip proxy-added headers via the `Connection` header, leading to potential bypass of security controls.","title":"Fastify Proxy Header Stripping Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-fastify-header-strip/"}],"language":"en","title":"CraftedSignal Threat Feed — Proxy Vulnerability","version":"https://jsonfeed.org/version/1.1"}