188 行
8.9 KiB
JSON
188 行
8.9 KiB
JSON
{
|
|
"canonical_id": "fastify--CVE-2026-3635",
|
|
"system_id": "fastify",
|
|
"display_name": "Fastify",
|
|
"category": "frameworks",
|
|
"advisory_mode": "core",
|
|
"title": "fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections",
|
|
"summary": "## Summary\n\nWhen `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection \u2014 including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\n## Affected Versions\n\nfastify <= 5.8.2\n\n## Impact\n\nApplications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function.\n\nWhen `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers \u2014 this is expected behavior. The vulnerability only manifests with restrictive trust configurations.",
|
|
"published_at": "2026-03-25T19:32:28Z",
|
|
"updated_at": "2026-03-25T19:48:38.788319Z",
|
|
"severity": "low",
|
|
"cvss_score": 3.1,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-3635",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://github.com/fastify/fastify",
|
|
"https://github.com/fastify/fastify/releases/tag/v5.8.3",
|
|
"https://www.cve.org/CVERecord?id=CVE-2026-3635"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-3635",
|
|
"GHSA-444r-cwp2-x5xf"
|
|
],
|
|
"cve_ids": [
|
|
"CVE-2026-3635"
|
|
],
|
|
"ghsa_ids": [
|
|
"GHSA-444r-cwp2-x5xf"
|
|
],
|
|
"osv_ids": [
|
|
"GHSA-444r-cwp2-x5xf"
|
|
],
|
|
"affected_versions": [
|
|
"introduced=0, fixed<5.8.3"
|
|
],
|
|
"fixed_versions": [
|
|
"5.8.3"
|
|
],
|
|
"package_name": "fastify",
|
|
"render_markdown": true,
|
|
"case_path": "07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3635.md",
|
|
"secure_code_topics": [
|
|
"proxy-trust-boundary",
|
|
"ssrf-url-validation",
|
|
"xss-output-encoding",
|
|
"token-cookie-storage"
|
|
],
|
|
"status": "generated",
|
|
"triage_reasons": [],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "fastify",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "fastify",
|
|
"official": true
|
|
},
|
|
{
|
|
"entity_id": "fastify--project--fastify",
|
|
"entity_type": "project",
|
|
"relation": "affected-component",
|
|
"root_system_id": "fastify",
|
|
"official": false
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "fastify",
|
|
"entity_id": "fastify--project--fastify",
|
|
"scope": "package",
|
|
"package_name": "fastify",
|
|
"official": false
|
|
}
|
|
],
|
|
"affected_version_ranges": [
|
|
"introduced=0, fixed<5.8.3"
|
|
],
|
|
"fixed_version_ranges": [
|
|
"5.8.3"
|
|
],
|
|
"introduced_version": "introduced=0, fixed<5.8.3",
|
|
"patched_version": "5.8.3",
|
|
"version_evidence_sources": [
|
|
"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-3635",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://github.com/fastify/fastify",
|
|
"https://github.com/fastify/fastify/releases/tag/v5.8.3",
|
|
"https://www.cve.org/CVERecord?id=CVE-2026-3635"
|
|
],
|
|
"affected_version_refs": [
|
|
"fastify--project--fastify--introduced-0-fixed-5-8-3"
|
|
],
|
|
"fixed_version_refs": [
|
|
"fastify--project--fastify--5-8-3"
|
|
],
|
|
"patched_version_refs": [
|
|
"fastify--project--fastify--5-8-3"
|
|
],
|
|
"version_sync_confidence": "high",
|
|
"advisory_scope": "package",
|
|
"version_confidence": "high",
|
|
"version_gap_reason": "",
|
|
"version_resolution_needed": false,
|
|
"workflow": {
|
|
"workflow_id": "fastify--CVE-2026-3635--workflow",
|
|
"vuln_family": "proxy-boundary",
|
|
"entry_surface": "proxy-header-or-trust-boundary",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<5.8.3",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `package`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "reverse-proxy-or-edge-client",
|
|
"affected_version_assertion": [
|
|
"introduced=0, fixed<5.8.3"
|
|
],
|
|
"trigger_vector": "\u5bf9 `proxy-boundary` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/middleware",
|
|
"/x-forwarded-* trust path"
|
|
],
|
|
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u4ee3\u7406\u5934\u6216\u6765\u6e90\u5934\uff0c\u9a8c\u8bc1\u4fe1\u4efb\u8fb9\u754c\u548c\u56de\u6e90\u9274\u6743\u3002",
|
|
"expected_unsafe_behavior": "\u4ec5\u51ed\u4ee3\u7406\u5934\u5373\u53ef\u8d8a\u8fc7\u9274\u6743\u6216\u6765\u6e90\u63a7\u5236\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6",
|
|
"\u4e0a\u6e38\u4ee3\u7406\u4e0e\u5e94\u7528\u5c42\u5bf9 Content-Length / Transfer-Encoding / forwarded headers \u7684\u89e3\u91ca\u5dee\u5f02"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<5.8.3` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `5.8.3`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `proxy-boundary` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "ready"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"OSV Fastify"
|
|
],
|
|
"source_kinds": [
|
|
"osv-batch"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 2,
|
|
"advisory_scope": "package",
|
|
"version_confidence": "high",
|
|
"workflow_id": "fastify--CVE-2026-3635--workflow"
|
|
}
|
|
}
|