CVE-2021-21321

Prefix escape

Description

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2.

Category

10.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.45%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory npmjs.com
Affected: fastify fastify-reply-from
Published at:
Updated at:

References

Link Tags
https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4 third party advisory
https://www.npmjs.com/package/fastify-reply-from product third party advisory
https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-21321?
CVE-2021-21321 has been scored as a critical severity vulnerability.
How to fix CVE-2021-21321?
To fix CVE-2021-21321, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21321 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21321 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21321?
CVE-2021-21321 affects fastify fastify-reply-from.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.