Description
By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.
Recommendation
Update the @fastify/reply-from package to the latest compatible version. Followings are version details:
- Affected version(s): <= 12.4.0
- Patched version(s): 12.5.0
References
Related Issues
- @fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
- @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation - CVE-2026-26019
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
You might also like:
- Tags:
- npm
- @fastify/reply-from
Anything's wrong? Let us know Last updated on December 02, 2025