The vulnerability exists in @fastify/reply‑from and @fastify/http‑proxy where the library processes the client’s Connection header after the proxy has injected its own headers. This allows an attacker to list those proxy‑added headers in the Connection header value, causing the library to strip them from the upstream request. The result is that routing, access‑control, or security headers that the proxy added are removed, enabling the attacker to bypass proxy‑enforced controls or redirect traffic. This flaw is a form of HTTP header manipulation (CWE‑644) and header injection that can lead to header spoofing or denial of service (CWE‑444), compromising the integrity and confidentiality of requests handled by the proxy.

Affected products include the Fastify reply‑from plugin up to and including version 12.6.1 and the Fastify http‑proxy plugin up to and including version 11.4.3. Both libraries process the Connection header in a way that allows the aforementioned manipulation and must be upgraded to the versions cited in the advisory for remediation.

The advisory assigns a CVSS base score of 9, indicating critical impact. This vulnerability has an EPSS score of <1% (approximately 0.04%), indicating a very low exploitation probability, and it is not listed in the CISA KEV catalog. The severity combined with the straightforward attack vector remains a high‑risk flaw. An attacker only needs to send an HTTP request to the vulnerable proxy service and supply a Connection header that names a proxy‑added header; no authentication is required. If the proxy forwards requests to sensitive services, the attacker can effectively remove headers that guard against unauthorized access or enforce routing policies.