CVE-2026-33805: Fastify's connection header abuse enables stripping of proxy-added headers

April 16, 2026

@fastify/reply-from and @fastify/http-proxy process the client’s Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-gwhp-pf74-vj37
github.com/fastify/fastify-reply-from
github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37
nvd.nist.gov/vuln/detail/CVE-2026-33805

Code Behaviors & Features

Detect and mitigate CVE-2026-33805 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →