641 matches found
PT-2026-5743
Name of the Vulnerable Software and Affected Versions Fastify versions prior to 5.7.3 Description Fastify is a web framework for Node.js. A denial-of-service condition exists in Fastify’s Web Streams response handling. A slow or non-reading client can cause unbounded buffering when backpressure i...
Fastify: DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored
A vulnerability was discovered in Fastify versions 5.7.0 and later. The issue was in the "sendWebStream" function, which failed to handle TCP backpressure correctly. When a ReadableStream was sent as a response, Fastify continuously pulled data from the stream producer and wrote it to the respons...
CVE-2026-22037
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Summary A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastif...
GHSA-G6Q3-96CP-5R5M @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Summary A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastif...
EUVD-2026-3321
Fastify Middie Middleware Path Bypass...
GHSA-CXRG-G7R8-W69P Fastify Middie Middleware Path Bypass
Summary A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify...
Fastify Middie Middleware Path Bypass
Summary A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify...
CVE-2026-22031
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
Improper Handling of URL Encoding (Hex Encoding)
Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of...
@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-22037 via @fastify/express (>=4.0.1 <=4.0.2)
@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-22037 Source advisory: SNYK:JS-FASTIFYEXPRESS-15038741...
CVE-2026-22037
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22037
The vulnerability affects the @fastify/express plugin (prior to version 4.0.3). Middleware registered for a specific path prefix can be bypassed when the request uses URL-encoded characters (e.g., /%61dmin instead of /admin). The middleware engine fails to match the encoded path, but the underlyi...
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22037
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22031
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
Improper Handling of URL Encoding (Hex Encoding)
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. An...
@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.4.3) +11 more potentially affected by CVE-2026-22031 via @fastify/middie (>=9.0.2 <=9.0.3)
@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-22031 Source advisory: SNYK:JS-FASTIFYMIDDIE-15038725...