The vulnerability exists in @fastify/reply‑from and @fastify/http‑proxy where the library processes the client’s Connection header after the proxy has injected its own headers. This allows an attacker to list those proxy‑added headers in the Connection header value, causing the library to strip them from the upstream request. The result is that routing, access‑control, or security headers that the proxy added are removed, enabling the attacker to bypass proxy‑enforced controls or redirect traffic. This flaw is a form of HTTP header manipulation (CWE‑644) that compromises the integrity and confidentiality of requests handled by the proxy.

Affected products include the Fastify reply‑from plugin up to and including version 12.6.1 and the Fastify http‑proxy plugin up to and including version 11.4.3. Both libraries process the Connection header in a way that allows the aforementioned manipulation and must be upgraded to the versions cited in the advisory for remediation.

The advisory assigns a CVSS base score of 9, indicating critical impact. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, but its severity and the straightforward nature of the attack vector make it a high‑risk flaw. An attacker only needs to send an HTTP request to the vulnerable proxy service and supply a Connection header that names a proxy‑added header; no authentication is required. If the proxy forwards requests to sensitive services, the attacker can effectively remove headers that guard against unauthorized access or enforce routing policies.