fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.
{
"cwe_ids": [
"CWE-441"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66415.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:fastify:reply-from:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "12.4.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}