CVE-2026-15631 in http-proxy
Summary
by MITRE • 07/18/2026
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which collapses dot segments, so a crafted upgrade request with path traversal sequences can escape the rewrite prefix and reach upstream endpoints that were not meant to be exposed by the proxy. This is a variant of CVE-2021-21322 in a code path that never went through the HTTP fix in fastify/reply-from. Exploitation requires a non-normalizing WebSocket client, since browsers and the ws package normalize the request path before sending, but raw HTTP clients or downstream proxies that forward the request target unchanged make the attack reachable in production topologies.
Patches: upgrade to @fastify/http-proxy 11.6.0.
Workarounds: none.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists in fastify/http-proxy versions 9.4.0 through 11.5.0 and represents a path traversal flaw in WebSocket proxying functionality. The issue stems from insufficient validation of resolved WebSocket destination paths against configured rewrite prefixes, creating a security gap that allows attackers to bypass intended access controls. When WebSocket connections are established through the WebSocketProxy.findUpstream method, the system resolves destinations using the WHATWG URL constructor which automatically collapses dot segments, effectively normalizing paths in a way that can be exploited by malicious actors.
The technical flaw manifests when a crafted WebSocket upgrade request contains path traversal sequences that exploit the normalization behavior of the WHATWG URL constructor. This allows attackers to escape the intended rewrite prefix boundaries and access upstream endpoints that should remain protected from direct exposure through the proxy. The vulnerability is particularly concerning because it operates in a code path that was not addressed by previous fixes in fastify/reply-from, making it a distinct variant of CVE-2021-21322 that specifically targets WebSocket proxying rather than HTTP operations. This represents a weakness in the proxy's path validation logic where the system fails to properly sanitize or verify that resolved paths remain within configured boundaries.
The operational impact of this vulnerability can be severe for systems relying on fastify/http-proxy for WebSocket traffic management, particularly in environments where multiple services are exposed through a single proxy interface. An attacker who successfully exploits this vulnerability could potentially access internal services, sensitive endpoints, or resources that should only be reachable through authenticated and authorized channels. The attack vector requires specific conditions including the use of non-normalizing WebSocket clients, which means that browsers and standard ws package implementations would not be vulnerable due to their built-in path normalization. However, in production environments with raw HTTP clients or downstream proxies that forward requests without normalizing paths, this vulnerability becomes exploitable and could lead to unauthorized access to backend systems.
The patch for this vulnerability involves upgrading to @fastify/http-proxy version 11.6.0 which contains the necessary fixes to properly validate WebSocket destination paths against configured rewrite prefixes. This upgrade addresses the core validation issue by ensuring that resolved WebSocket paths cannot escape their intended boundaries regardless of how the WHATWG URL constructor normalizes them. The vulnerability aligns with CWE-22 Path Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, as it involves improper handling of path resolution and validation in proxy operations. From an ATT&CK perspective, this vulnerability maps to T1071.004 Application Layer Protocol: Web Protocols and potentially T1566 Credential Stuffing or T1190 Exploitation for Client Execution depending on the specific exploitation methodology and target systems involved in the attack vector.
Organizations using affected versions of fastify/http-proxy should prioritize upgrading to version 11.6.0 as the primary mitigation strategy, as no effective workarounds exist for this particular vulnerability. The lack of viable workarounds underscores the importance of immediate patch deployment since attackers who can leverage non-normalizing WebSocket clients could potentially exploit this flaw in production environments without additional protective measures. System administrators should also conduct thorough security assessments to identify any other components that might be vulnerable to similar path traversal issues in their proxy infrastructure, particularly those implementing custom WebSocket handling logic that may not properly validate destination paths against configured access controls.