Severity: critical

    Prefix escape

    fastify-reply-from

    Overview

    In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is.

    Remediation

    Upgrade to version 4.0.2

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Mar 3rd, 2021
    2. reported

      Reported by Anonymous
      Mar 3rd, 2021