漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
Vulnerability Description
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. Upgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.
CVSS Information
N/A
Vulnerability Type
对HTTP头部进行脚本语法转义处理不恰当
Vulnerability Title
fastify/reply-from和fastify/http-proxy 安全漏洞
Vulnerability Description
fastify/reply-from和fastify/http-proxy都是Fastify开源的产品。fastify/reply-from是一个插件,用于将传入的 HTTP 请求转发到另一个服务器。fastify/http-proxy是一个全功能 HTTP 代理插件,支持代理 WebSocket 和各种路由重定向。 fastify/reply-from 12.6.1及之前版本和fastify/http-proxy 11.4.3及之前版本存在安全漏洞,该漏洞源于在代理通过rewriteRequestHea
CVSS Information
N/A
Vulnerability Type
N/A