CVE-2026-3635
Description
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.
Affected Versions fastify <= 5.8.2
Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.
When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fastifynpm | < 5.8.3 | 5.8.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-444r-cwp2-x5xfghsaADVISORY
- github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xfnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-3635ghsaADVISORY
- www.cve.org/CVERecordnvdThird Party AdvisoryWEB
- github.com/fastify/fastify/releases/tag/v5.8.3ghsaWEB
News mentions
0No linked articles in our index yet.