Severity: critical

    Prefix escape



    In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is.


    Upgrade to version 4.0.2


    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Mar 3rd, 2021
    2. reported

      Reported by Anonymous
      Mar 3rd, 2021