MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWM0cXItZ21yOS12MjN3

Low EPSS: 0.00446% (0.62675 Percentile) EPSS:

Permalink JSON

Prefix escape

Affected Packages	Affected Versions	Fixed Versions
npm:fastify-http-proxy PURL: `pkg:npm/fastify-http-proxy`	< 4.3.1	4.3.1
37 Dependent packages 195 Dependent repositories 15,990 Downloads last month Affected Version Ranges All affected versions 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.2.0, 4.3.0 All unaffected versions 4.3.1, 4.4.0, 5.0.0, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0

Impact

By crafting a specific URL, it is possible to escape the prefix of the proxied backend service.
If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Patches

All releases after v4.3.1 include the fix.

Workarounds

There are no workaround available.

For more information

If you have any questions or comments about this advisory:

Open an issue in fastify-reply-from
Email us at hello@matteocollina.com

References:

Identifiers

GHSA-c4qr-gmr9-v23w

CVE-2021-21322

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00446

EPSS Percentile: 0.62675

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/fastify/fastify-http-proxy

Date and time

Published

almost 5 years ago

Updated

21 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories