CVE-2026-3635

Published: Mar 23, 2026 Last Modified: Mar 23, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,1
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Attack Vector: adjacent_network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions
fastify <= 5.8.2

Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

348

Use of Less Trusted Source

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
View CWE Details
https://cna.openjsf.org/security-advisories.html
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify/security/advisories/GHSA…
https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
https://www.cve.org/CVERecord?id=CVE-2026-3635
https://www.cve.org/CVERecord?id=CVE-2026-3635