CVE-2023-51701: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in @fastify/reply-from, a Fastify plugin used for forwarding HTTP requests to another server. The vulnerability (CVE-2023-51701) affects versions prior to 9.6.0 and was disclosed on January 8, 2024. The issue involves incorrect interpretation of incoming bodies when processing Content-Type headers with specific formatting (GitHub Advisory).

The vulnerability stems from inconsistent Content-Type parsing behavior between the main Fastify repository and @fastify/reply-from. While the main Fastify repository uses fast-content-type-parse to parse request Content-Type headers with proper trimming after splitting, @fastify/reply-from lacks this unified parsing approach. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and has received a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

When exploited, this vulnerability could allow attackers to bypass security checks by manipulating the Content-Type header format, specifically when using headers like 'ContentType: application/json ; charset=utf-8'. This could lead to unauthorized access or security control circumvention (GitHub Advisory).

The vulnerability has been patched in @fastify/reply-from version 9.6.0. Users are advised to upgrade to this version or later as there are no known workarounds (GitHub Release).