Description
Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions
fastify <= 5.8.2

Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Published: 2026-03-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing of request protocol and host can allow attackers to bypass HTTPS enforcement, set incorrect cookie flags, and bypass CSRF checks.
Action: Immediate Patch
AI Analysis

Impact

When Fastify’s trustProxy setting is configured with a restrictive trust function, the framework still allows any incoming connection to supply X-Forwarded-Proto and X-Forwarded-Host headers. An attacker who connects directly to the Fastify server, without going through a trusted proxy, can therefore instruct the application to believe it is being accessed over HTTPS or via a different host. This manipulation can break security controls that rely on request.protocol and request.host, enabling misissued secure cookies, incorrect URL generation, flawed host-based routing, and potential CSRF bypasses. The underlying weakness is an improper extraction of forwarded headers in the presence of a sanitized trust proxy function.

Affected Systems

Fastify versions 5.8.2 and earlier are affected. The advisory specifically lists fastify <= 5.8.2 as vulnerable.

Risk and Exploitability

The CVSS v3 base score is 6.1, indicating a medium severity vulnerability. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is an attacker directly connecting to the Fastify application over an untrusted network and sending malicious X-Forwarded-Proto and X-Forwarded-Host headers, which the framework will accept under the described configuration. The vulnerability requires the attacker to have network connectivity to the server, but no privileged access or code execution is necessary. While the likelihood of automated exploitation is uncertain, the configuration error is simple enough that a determined attacker could exploit it manually.

Generated by OpenCVE AI on March 23, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fastify to version 5.8.3 or later to patch the flaw.
  • If upgrading is not immediately possible, modify trustProxy to either be true (trust all), or ensure it is configured only for IP addresses that are truly behind a trusted reverse proxy.
  • Verify that forwarded headers are only accepted from validated upstream proxies; remove or filter X-Forwarded-Proto and X-Forwarded-Host headers from untrusted connections.
  • Review application logic that relies on request.protocol or request.host for security decisions and adjust to use stricter origin validation or scheme checks directly against the server configuration.

Generated by OpenCVE AI on March 23, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-444r-cwp2-x5xf fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
History

Thu, 16 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify
Vendors & Products Fastify
Fastify fastify

Tue, 24 Mar 2026 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Title Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Fastify Fastify
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-23T15:30:10.526Z

Reserved: 2026-03-06T09:16:35.081Z

Link: CVE-2026-3635

cve-icon Vulnrichment

Updated: 2026-03-23T15:29:59.578Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T14:16:34.720

Modified: 2026-04-16T17:46:58.897

Link: CVE-2026-3635

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T13:53:00Z

Links: CVE-2026-3635 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:08Z

Weaknesses