Fastify's connection header abuse enables stripping of proxy-added headers
- Severity:
- High
Description
@fastify/reply-from and @fastify/http-proxy process the client’s Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value.
Recommendation
Update the @fastify/reply-from package to the latest compatible version. Followings are version details:
- Affected version(s): <= 12.6.1
- Patched version(s): 12.6.2
References
Related Issues
- SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
- Axios: Header Injection via Prototype Pollution - CVE-2026-42035
- jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction - CVE-2026-4601
- Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax - CVE-2026-42043
You might also like:
- Tags:
- npm
- @fastify/reply-from
Anything's wrong? Let us know Last updated on April 16, 2026


