Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop…
openjs·CWE-348·Published 2026-03-23
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
## Summary When `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. ## Affected Versions fastify <= 5.8.2 ## Impact Applications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function. When `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
## Summary When `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. ## Affected Versions fastify <= 5.8.2 ## Impact Applications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function. When `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
Resumen Cuando `trustProxy` se configura con una función de confianza restrictiva (por ejemplo, una IP específica como `trustProxy: '10.0.0.1'`, una subred, un recuento de saltos o una función personalizada), los *getters* `request.protocol` y `request.host` leen los encabezados `X-Forwarded-Proto` y `X-Forwarded-Host` de cualquier conexión, incluidas las conexiones de IPs no confiables. Esto permite a un atacante que se conecta directamente a Fastify (saltándose el proxy) suplantar tanto el protocolo como el *host* vistos por la aplicación. Versiones Afectadas fastify <= 5.8.2 Impacto Las aplicaciones que utilizan `request.protocol` o `request.host` para decisiones de seguridad (aplicación de HTTPS, *flags* de cookie seguras, comprobaciones de origen CSRF, construcción de URL, enrutamiento basado en *host*) se ven afectadas cuando `trustProxy` se configura con una función de confianza restrictiva. Cuando `trustProxy: true` (confiar en todo), tanto el *host* como el protocolo confían en todos los encabezados reenviados — este es el comportamiento esperado. La vulnerabilidad solo se manifiesta con configuraciones de confianza restrictivas.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 6.1 | — | — | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | Secondary | NVD | 6.1 | 1.6 | 4.0 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | Secondary | GHSA | 6.1 | — | — | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |