Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66415

CVE-2025-66415: Fastify Reply-from Auth Bypass Vulnerability

CVE-2025-66415 is an authentication bypass vulnerability in Fastify Reply-from that allows attackers to access unauthorized routes through crafted URLs. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-66415 Overview

CVE-2025-66415 is a path traversal vulnerability in @fastify/reply-from, a Fastify plugin that forwards HTTP requests to upstream servers. Versions prior to 12.5.0 fail to properly sanitize the request URL before constructing the upstream destination. An attacker can craft a malicious URL containing .. sequences to access upstream routes that should be restricted, bypassing the route scoping enforced by reply.from. The flaw is categorized under [CWE-441] (Unintended Proxy or Intermediary). The vulnerability is fixed in version 12.5.0.

Critical Impact

A remote, unauthenticated attacker can reach proxied backend routes that the application intended to keep inaccessible, undermining route-level access boundaries.

Affected Products

  • @fastify/reply-from versions prior to 12.5.0
  • Node.js applications using Fastify with reply.from route forwarding
  • Any service exposing @fastify/reply-from as a reverse-proxy layer

Discovery Timeline

  • 2025-12-01 - CVE-2025-66415 published to NVD
  • 2026-02-06 - Last updated in NVD database

Technical Details for CVE-2025-66415

Vulnerability Analysis

The @fastify/reply-from plugin lets developers selectively forward specific Fastify routes to an upstream HTTP server. The plugin derives the upstream path from req.url when the developer does not explicitly pass a source argument. Because the request URL is forwarded without traversal sanitization, an attacker can supply path segments like ../ to escape the configured route scope. The upstream server then receives a normalized path that points at a different resource than the one the route handler nominally protects. This results in unintended proxy behavior and exposure of backend endpoints that were never meant to be reachable through the proxy route.

Root Cause

The root cause is missing input validation in the URL handling logic of buildURL in lib/utils.js and in the request-forwarding path inside index.js. The plugin trusted req.url and did not strip query strings or reject decoded .. traversal sequences before resolving the upstream URL.

Attack Vector

Exploitation requires only network access to a vulnerable endpoint. The attacker sends an HTTP request whose URL or query component includes encoded directory traversal segments. The plugin resolves these against the upstream base URL, producing a destination outside the intended forwarding scope.

javascript
// Patch applied in index.js — strip the query string from req.url
// before using it as the upstream source path
const retryDelay = opts.retryDelay || undefined

if (!source) {
  const requestUrl = req.url
  const queryIndex = requestUrl.indexOf('?')
  source = queryIndex >= 0 ? requestUrl.substring(0, queryIndex) : requestUrl
}

// we leverage caching to avoid parsing the destination URL

Source: GitHub commit 4d9795c

javascript
// Patch applied in lib/utils.js — reject decoded traversal sequences
// issue ref: https://github.com/fastify/fast-proxy/issues/42
function buildURL (source, reqBase) {
  if (decodeURIComponent(source).includes('..')) {
    const err = new Error('source/request contain invalid characters')
    err.statusCode = 400
    throw err
  }

  if (Array.isArray(reqBase)) reqBase = reqBase[0]
  let baseOrigin = reqBase ? new URL(reqBase).href : undefined
}

Source: GitHub commit 4d9795c

The fix performs two actions. First, it trims any query string before the URL becomes the upstream source path. Second, it decodes the source and rejects any input containing .., returning HTTP 400.

Detection Methods for CVE-2025-66415

Indicators of Compromise

  • HTTP requests to Fastify-fronted endpoints containing .., %2e%2e, or %2E%2E in the path or query string.
  • Upstream proxy logs showing requests to backend paths that no reply.from route is configured to expose.
  • HTTP 400 responses with the message source/request contain invalid characters once 12.5.0 is deployed, indicating attempted exploitation.

Detection Strategies

  • Inspect Fastify access logs for path-traversal patterns directed at routes that invoke reply.from.
  • Correlate edge proxy logs with upstream service logs to identify mismatches between the route hit on the proxy and the path served by the upstream.
  • Add a Web Application Firewall (WAF) rule to flag traversal sequences targeting routes known to forward via @fastify/reply-from.

Monitoring Recommendations

  • Track the version of @fastify/reply-from resolved in package-lock.json across services and alert on any version below 12.5.0.
  • Monitor application error telemetry for the new 400 error string introduced by the patch.
  • Baseline normal upstream paths reached through each proxy route and alert on deviations.

How to Mitigate CVE-2025-66415

Immediate Actions Required

  • Upgrade @fastify/reply-from to version 12.5.0 or later in all Node.js services.
  • Audit every reply.from usage to confirm the upstream base URL and route scoping match the intended trust boundary.
  • Review proxy and upstream logs for traversal attempts against affected routes prior to the upgrade.

Patch Information

The fix is committed in GitHub commit 4d9795c and described in GitHub Security Advisory GHSA-2q7r-29rg-6m5h. Upgrade with npm install @fastify/reply-from@^12.5.0.

Workarounds

  • Explicitly pass a sanitized source argument to reply.from(source) instead of letting the plugin derive it from req.url.
  • Validate or normalize the incoming request path in a Fastify preHandler hook and reject requests containing .. sequences.
  • Place an upstream gateway or WAF in front of the service to strip or block traversal characters until the upgrade is complete.
bash
# Upgrade the plugin and verify the resolved version
npm install @fastify/reply-from@^12.5.0
npm ls @fastify/reply-from

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.