Description
By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.
Recommendation
Update the @fastify/reply-from package to the latest compatible version. Followings are version details:
- Affected version(s): <= 12.4.0
- Patched version(s): 12.5.0
References
Related Issues
- @fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- Tags:
- npm
- @fastify/reply-from
Anything's wrong? Let us know Last updated on December 02, 2025