fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service.
If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is.
Upgrade to version 4.0.2
publishedAdvisory PublishedMar 3rd, 2021
reportedReported by AnonymousMar 3rd, 2021