CVE-2021-21321
📋 TL;DR
CVE-2021-21321 is a path traversal vulnerability in fastify-reply-from npm package that allows attackers to bypass URL prefix restrictions when proxying requests. By crafting specific URLs, attackers can access backend services outside the intended proxied prefix. This affects all applications using vulnerable versions of fastify-reply-from for request forwarding.
💻 Affected Systems
- fastify-reply-from
📦 What is this software?
Fastify Reply From by Fastify Reply From Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access unauthorized backend endpoints, potentially exposing sensitive internal services, confidential data, or administrative interfaces that should be protected behind the proxy.
Likely Case
Unauthorized access to backend services that should be restricted, potentially leading to information disclosure or privilege escalation depending on what services are exposed.
If Mitigated
With proper network segmentation and authentication layers, impact is limited to the specific proxied service rather than full backend compromise.
🎯 Exploit Status
Exploitation requires crafting URLs with specific patterns to bypass prefix checks. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.2
Vendor Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4
Restart Required: Yes
Instructions:
1. Update package.json to specify 'fastify-reply-from': '^4.0.2' 2. Run 'npm update fastify-reply-from' 3. Restart your application 4. Verify the update with 'npm list fastify-reply-from'
🔧 Temporary Workarounds
Input validation middleware
allAdd custom middleware to validate and sanitize URLs before they reach fastify-reply-from
Reverse proxy restrictions
allConfigure upstream reverse proxies (nginx, Apache) to enforce URL path restrictions
🧯 If You Can't Patch
- Implement strict URL validation and sanitization in application code
- Deploy WAF rules to block path traversal patterns in URLs
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list fastify-reply-from' to see if version is below 4.0.2Check Version:
npm list fastify-reply-from | grep fastify-reply-fromVerify Fix Applied:
After update, confirm version is 4.0.2 or higher with 'npm list fastify-reply-from'📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with encoded characters, requests to unexpected backend paths, 404 errors from backend services for paths that should be blocked
Network Indicators:
- HTTP requests with crafted URLs containing path traversal sequences, requests bypassing expected URL prefixes
SIEM Query:
http.url:*%2F..%2F* OR http.url:*%2F.%2F* OR http.url:*//* targeting applications using fastify-reply-from🔗 References
- https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889
- https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4
- https://www.npmjs.com/package/fastify-reply-from
- https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889
- https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4
- https://www.npmjs.com/package/fastify-reply-from
