Low severityNVD Advisory· Published Mar 2, 2021· Updated Aug 3, 2024
Prefix escape
CVE-2021-21322
Description
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fastify-http-proxynpm | < 4.3.1 | 4.3.1 |
Affected products
2- Range: < 4.3.1
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c4qr-gmr9-v23wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21322ghsaADVISORY
- github.com/fastify/fastify-http-proxy/commit/02d9b43c770aa16bc44470edecfaeb7c17985016ghsax_refsource_MISCWEB
- github.com/fastify/fastify-http-proxy/security/advisories/GHSA-c4qr-gmr9-v23wghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/fastify-http-proxyghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.