Fastify's connection header abuse enables stripping of proxy-added headers

Severity:: High

Description

@fastify/reply-from and @fastify/http-proxy process the client’s Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value.

Recommendation

Update the @fastify/reply-from package to the latest compatible version. Followings are version details:

Affected version(s): <= 12.6.1
Patched version(s): 12.6.2

References

GHSA-gwhp-pf74-vj37
cna.openjsf.org
CVE-2026-33805
CWE-644
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
Axios: Header Injection via Prototype Pollution - CVE-2026-42035

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @fastify/reply-from

Anything's wrong? Let us know Last updated on April 16, 2026