Home

Description

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

PUBLISHED Reserved 2026-03-06 | Published 2026-03-23 | Updated 2026-03-23 | Assigner openjs




MEDIUM: 6.1CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-348 Use of less trusted source

Product status

Default status
unaffected

Any version
affected

5.8.3 (semver)
unaffected

Credits

LetaoZhao (TinkAnet) reporter

KaKa (climba03003) remediation reviewer

Matteo Collina remediation reviewer

Ulises Gascón remediation reviewer

References

github.com/...astify/security/advisories/GHSA-444r-cwp2-x5xf

www.cve.org/CVERecord?id=CVE-2026-3635

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-3635)

nvd.nist.gov (CVE-2026-3635)

Download JSON