CVSS v3
10
CRITICAL
EPSS Score
—
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the ups
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the ups
Active exploitation of CVE-2026-16117 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.
CVE-2026-16117 has a CVSS v3 base score of 10 (CRITICAL severity), with vector string 3.1.
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.