CVE-2025-66415 – CVE-2025-66415 is an authorization bypass vulne... (How to Fix)

Q: What is the severity of CVE-2025-66415?

CVE-2025-66415 has a CVSS score of 5.4 (MEDIUM). CVE-2025-66415 is an authorization bypass vulnerability in fastify-reply-from, a Fastify plugin for HTTP request forwarding. Attackers can craft malicious URLs to access routes that should be restricted, even when reply.from is configured for specific routes only. This affects all applications using vulnerable versions of fastify-reply-from.

📋 TL;DR

CVE-2025-66415 is an authorization bypass vulnerability in fastify-reply-from, a Fastify plugin for HTTP request forwarding. Attackers can craft malicious URLs to access routes that should be restricted, even when reply.from is configured for specific routes only. This affects all applications using vulnerable versions of fastify-reply-from.

💻 Affected Systems

Products:

fastify-reply-from

Versions: All versions prior to 12.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using fastify-reply-from with route-specific forwarding configurations.

📦 What is this software?

Reply From by Fastify

View all CVEs affecting Reply From →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of route-based access controls, allowing attackers to access internal APIs, administrative endpoints, or sensitive data that should be restricted.

🟠

Likely Case

Unauthorized access to specific backend services or APIs that should be protected by route filtering, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact if proper network segmentation and additional authentication layers exist, though route filtering would still be bypassed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting specific URLs but does not require authentication to the vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.5.0

Vendor Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h

Restart Required: Yes

Instructions:

1. Update package.json to specify fastify-reply-from version 12.5.0 or higher. 2. Run npm update fastify-reply-from or yarn upgrade fastify-reply-from. 3. Restart your Fastify application.

🔧 Temporary Workarounds

Route validation middleware

all

Implement custom middleware to validate and sanitize URLs before they reach fastify-reply-from

Network filtering

all

Use WAF or reverse proxy rules to block suspicious URL patterns targeting the forwarding endpoint

🧯 If You Can't Patch

Implement strict input validation for all URLs processed by fastify-reply-from
Add additional authentication/authorization checks before forwarding requests

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for fastify-reply-from version. If version is below 12.5.0, the system is vulnerable.

Check Version:

npm list fastify-reply-from | grep fastify-reply-from

Verify Fix Applied:

After updating, verify the installed version is 12.5.0 or higher using npm list fastify-reply-from or checking package-lock.json.

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns in requests to forwarding endpoints
Access to routes that should be filtered by fastify-reply-from configuration

Network Indicators:

HTTP requests with crafted URLs containing path traversal or parameter manipulation

SIEM Query:

source="application_logs" AND (message="*fastify-reply-from*" AND (url="*../*" OR url="*;*" OR url="*%2f*"))

📊 Metadata

CVE ID: CVE-2025-66415

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-441

EPSS Score: 0.04% exploit probability (11.3th percentile)

Published: December 1, 2025

Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66415, you might also want to check these: