CyberSec.Space Logo
Back to CVE Browser

CVE-2021-21321

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0020%
EPSS Percentile36.54th
PublishedMar 2, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.

Affected Platforms (CPE)

πŸ“¦
Fastify Reply From Project

Fastify Reply From

< 4.0.2

References & Advisories

πŸ”— https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889
πŸ”— https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4
πŸ”— https://www.npmjs.com/package/fastify-reply-from
πŸ”— https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889
πŸ”— https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4
πŸ”— https://www.npmjs.com/package/fastify-reply-from

Related Vulnerabilities

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.

CVE-2021-217710.0

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Gateway). The supported version tha...

CVE-2021-4422810.0

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration...

CVE-2021-2947510.0

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive arbitrary file...