Fastify v5.8.3 Patches Critical Proxy Trust Bypass Vulnerability (CVE-2026-3635)

A critical security flaw in the popular Fastify web framework allows attackers to spoof protocol and host information, even when restrictive proxy trust settings are in place. The vulnerability, tracked as CVE-2026-3635, stems from a logic error where the `request.protocol` and `request.host` getters incorrectly read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from *any* incoming connection, regardless of whether the source IP is on the trusted list. This bypasses the intended security of the `trustProxy` configuration, which is designed to validate these headers only from trusted upstream proxies.

The issue is present when `trustProxy` is configured with a specific IP address (like '10.0.0.1'), a subnet, a hop count, or a custom validation function. In such a scenario, an attacker connecting from an untrusted IP can inject malicious `X-Forwarded-*` headers, which Fastify will then incorrectly use to determine the request's protocol (e.g., making an HTTP request appear as HTTPS) and host. This can lead to security misconfigurations, broken access controls, or incorrect application logic that relies on these values.

The patch, released in Fastify version 5.8.3, corrects this behavior to ensure the `trustProxy` setting is properly enforced. The update is marked as a security patch, and the GitHub advisory includes an OpenSSF Scorecard badge for the project. Developers using Fastify with any `trustProxy` configuration must immediately update to v5.8.3 to close this vector for header injection and protocol spoofing, which could otherwise be exploited to manipulate application routing, authentication checks, or content generation logic.