🟠 高危 | CVE-2026-15631 — Impact: @fastify/http-proxy versions from 9.4.0 up...
🟠 《高危安全漏洞:CVE-2026-15631》
CVSS 评分: 高危(8.7) 状态: Received 发布时间: 2026-07-18
漏洞描述
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies.
Patches: upgrade to @fastify/http-proxy 11.6.0.
Workarounds: none.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-15631 |
| CVSS 评分 | 8.7 🟠 |
| 严重程度 | 高危 |
| CVSS 向量 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
| CWE 分类 | CWE-22 |
| 发布时间 | 2026-07-18 |
| 最后更新 | 2026-07-18 |
| 状态 | Received |
| 数据来源 | ce714d77-add3-4f53-aff5-83d477b104bb |