What is CVE-2026-33805?

CVE-2026-33805 is a high-severity vulnerability in Fastify Fastify\/http-proxy, classified under Improper Neutralization of HTTP Headers for Scripting Syntax. CVSS score: 8.6/10. Published 2026-04-15.

How severe is CVE-2026-33805?

High severity. CVSS v3 base score is 8.6 out of 10.

Vulnerability in Fastify Fastify\/http-proxy

CVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip pr…

EPSS: 0.000 (4.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.

Affected products

Fastify Fastify\/http-proxy
Fastify Reply-from
@Fastify/reply-from @Fastify/http-proxy — versions 0, 11.4.4
@Fastify/reply-from — versions 0, 12.6.2

Weakness classification (CWE)

CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax

References

ce714d77-add3-4f53-aff5-83d477b104bb (Exploit, Mitigation, Vendor Advisory)
ce714d77-add3-4f53-aff5-83d477b104bb (Vendor Advisory)

Frequently asked questions

What is CVE-2026-33805?: CVE-2026-33805 is a high-severity vulnerability in Fastify Fastify\/http-proxy, classified under Improper Neutralization of HTTP Headers for Scripting Syntax. CVSS score: 8.6/10. Published 2026-04-15.
How severe is CVE-2026-33805?: High severity. CVSS v3 base score is 8.6 out of 10.