🔴 严重 | CVE-2026-16117 — Impact: @fastify/http-proxy versions up to and inc...
🔴 《严重安全漏洞:CVE-2026-16117》
CVSS 评分: 严重(10.0) 状态: Received 发布时间: 2026-07-18
漏洞描述
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints.
Patches: upgrade to @fastify/http-proxy 11.6.0.
Workarounds: none.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-16117 |
| CVSS 评分 | 10.0 🔴 |
| 严重程度 | 严重 |
| CVSS 向量 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| CWE 分类 | CWE-20 |
| 发布时间 | 2026-07-18 |
| 最后更新 | 2026-07-18 |
| 状态 | Received |
| 数据来源 | ce714d77-add3-4f53-aff5-83d477b104bb |