🟠 《高危安全漏洞:CVE-2026-15631》

CVSS 评分: 高危(8.7)  状态: Received  发布时间: 2026-07-18


漏洞描述

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies.

Patches: upgrade to @fastify/http-proxy 11.6.0.

Workarounds: none.


🔍 技术细节

字段
CVE ID CVE-2026-15631
CVSS 评分 8.7 🟠
严重程度 高危
CVSS 向量 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE 分类 CWE-22
发布时间 2026-07-18
最后更新 2026-07-18
状态 Received
数据来源 ce714d77-add3-4f53-aff5-83d477b104bb

🔗 参考链接