Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin.
Metrics
Affected Vendors & Products
References
History
Sat, 18 Jul 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URLs. When getUpstream selects an upstream from request data, a URL cached for one upstream can be reused for a request intended for another upstream, causing cross-upstream data access and modification. The default configuration is affected. Setting disableCache to true prevents the behavior. Patches: upgrade to @fastify/reply-from 12.6.4. Workarounds: pass disableCache: true when registering the plugin. | |
| Title | @fastify/reply-from vulnerable to cross-upstream request routing via URL cache key collision | |
| Weaknesses | CWE-441 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: openjs
Published:
Updated: 2026-07-18T12:28:17.262Z
Reserved: 2026-07-17T21:22:28.153Z
Link: CVE-2026-16158
No data.
No data.
No data.
OpenCVE Enrichment
No data.