Description
By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.
Recommendation
Update the @fastify/reply-from package to the latest compatible version. Followings are version details:
- Affected version(s): <= 12.4.0
- Patched version(s): 12.5.0
References
Related Issues
- html2pdf.js contains a cross-site scripting vulnerability - CVE-2026-22787
- Altcha Proof-of-Work obfuscation mode cryptanalytic break - CVE-2025-65849
- Finance.js vulnerable to DoS via the seekZero() parameter - CVE-2025-56572
- jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
- Tags:
- npm
- @fastify/reply-from
Anything's wrong? Let us know Last updated on December 02, 2025