CVE ID :CVE-2026-3635 Published : March 23, 2026, 2:16 p.m. | 1 hour, 25 minutes ago Description :Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <=Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...