CVE-2021-21322 CRITICAL

CVE-2021-21322: Prefix escape

Vendor Fastify
Product fastify-http-proxy
Weakness CWE-20 · Input validation
Published March 2, 2021
Last update August 3, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing `/priv` on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.3.1.

Key dates

02Disclosure timeline

March 2, 2021 CVE published
August 3, 2024 Record updated