CVE-2025-66415

MEDIUM

fastify/reply-from < 12.5.0 - Unintended Proxy Access via Malicious URL

Title source: llm

Description

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h

Patch x_refsource_misc

https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0015

EPSS Percentile 4.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-441

Status published

Products (2)

fastify/reply-from < 12.4.0

fastify/reply-from 0 - 12.5.0npm

Published Dec 01, 2025

Tracked Since Feb 18, 2026