CVE-2025-66415 – fastify-reply-from bypass of reply forwarding

CVE ID : CVE-2025-66415

Published : Dec. 1, 2025, 11:15 p.m. | 1 hour, 9 minutes ago

Description : fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.

Severity: 6.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…