CVE-2026-3635
MEDIUM6.1EPSS 0.01%fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
描述
## Summary When `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. ## Affected Versions fastify <= 5.8.2 ## Impact Applications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function. When `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
受影響套件(1)
- npm/fastifyfrom 0, < 5.8.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3635
- PATCHhttps://github.com/fastify/fastify
- WEBhttps://cna.openjsf.org/security-advisories.html
- WEBhttps://github.com/fastify/fastify/releases/tag/v5.8.3
- WEBhttps://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
- WEBhttps://www.cve.org/CVERecord?id=CVE-2026-3635