CVE-2026-33805 Overview
CVE-2026-33805 is a critical HTTP Request Smuggling vulnerability affecting @fastify/reply-from v12.6.1 and earlier, as well as @fastify/http-proxy v11.4.3 and earlier. The vulnerability exists due to improper processing order of the client's Connection header, which is evaluated after the proxy has already added its own headers via rewriteRequestHeaders. This design flaw allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value.
Critical Impact
Attackers can selectively remove headers added by the proxy for routing, access control, or security purposes, potentially bypassing authentication and authorization mechanisms.
Affected Products
- @fastify/reply-from v12.6.1 and earlier
- @fastify/http-proxy v11.4.3 and earlier
- Applications using @fastify/http-proxy (which delegates to @fastify/reply-from)
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-33805 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-33805
Vulnerability Analysis
This vulnerability stems from improper control of HTTP headers (CWE-644) in the Fastify proxy ecosystem. The core issue lies in the timing of Connection header processing relative to header rewriting operations. When a proxy application uses rewriteRequestHeaders to add security-critical headers (such as authentication tokens, internal routing information, or access control headers), these additions occur before the Connection header is processed.
According to HTTP/1.1 specifications, any header listed in the Connection header should be removed before forwarding the request. By exploiting this processing order, an attacker can craft a malicious request that includes the names of proxy-added headers in the Connection header value. When the proxy processes the Connection header, it inadvertently removes the very security headers it just added, allowing the malicious request to reach the upstream server without proper security context.
Root Cause
The root cause is the incorrect ordering of header processing operations. The rewriteRequestHeaders hook executes before Connection header hop-by-hop header removal, creating a window where attacker-controlled Connection header values can reference and remove proxy-injected headers. This represents a fundamental design flaw where the proxy's header addition logic does not account for the client's ability to influence subsequent header removal through the Connection header mechanism.
Attack Vector
The attack is network-based and can be executed by any unauthenticated client that can send HTTP requests to the vulnerable proxy. An attacker constructs a request with a Connection header that lists the names of headers the proxy is expected to add. For example, if a proxy adds an X-Internal-Auth header for upstream authentication, the attacker includes Connection: X-Internal-Auth in their request. The proxy adds the authentication header, then processes the Connection header and removes it, sending an unauthenticated request to the upstream server.
This attack is particularly dangerous because it can bypass authentication, authorization, and security controls that rely on proxy-injected headers. The attacker requires no special privileges and the attack can be executed with standard HTTP client tools.
Detection Methods for CVE-2026-33805
Indicators of Compromise
- Unexpected HTTP requests reaching upstream servers without expected proxy-added headers
- Anomalous Connection header values containing custom or internal header names
- Authentication or authorization failures at upstream services despite valid proxy configurations
- Increased volume of requests with unusual Connection header patterns
Detection Strategies
- Monitor and log Connection header values at the proxy layer for unexpected header names
- Implement upstream logging to detect requests missing expected proxy-injected headers
- Deploy Web Application Firewall (WAF) rules to flag Connection headers referencing internal header names
- Review proxy access logs for patterns of header manipulation attempts
Monitoring Recommendations
- Enable verbose logging on Fastify proxy instances to capture full header details
- Set up alerts for requests where upstream servers report missing expected authentication headers
- Implement correlation analysis between proxy logs and upstream application logs
- Monitor for reconnaissance patterns where attackers may test various header names in Connection values
How to Mitigate CVE-2026-33805
Immediate Actions Required
- Upgrade @fastify/reply-from to v12.6.2 or later immediately
- Upgrade @fastify/http-proxy to v11.4.4 or later immediately
- Audit proxy configurations to identify which headers are added via rewriteRequestHeaders
- Review upstream service logs for evidence of past exploitation attempts
Patch Information
The Fastify team has released patches that correct the header processing order. In the fixed versions, Connection header processing occurs before rewriteRequestHeaders, preventing attackers from removing proxy-added headers through this mechanism.
For detailed patch information, see the GitHub Security Advisory GHSA-gwhp-pf74-vj37 and the OpenJS Foundation Security Advisories.
Workarounds
- If immediate patching is not possible, implement upstream validation to reject requests missing required security headers
- Configure WAF rules to strip or reject requests with Connection headers containing internal header names
- Consider implementing header verification at the upstream application layer as defense-in-depth
- Temporarily disable features that rely on proxy-injected headers for security decisions until patching is complete
# Upgrade @fastify/reply-from to patched version
npm update @fastify/reply-from@12.6.2
# Upgrade @fastify/http-proxy to patched version
npm update @fastify/http-proxy@11.4.4
# Verify installed versions
npm list @fastify/reply-from @fastify/http-proxy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
