641 matches found
CVE-2026-22031 Fastify Middie Middleware Path Bypass
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22031
CVE-2026-22031 affects the Fastify middleware plugin @fastify/middie (prior to 9.1.0). A vulnerability allows bypassing a middleware registered with a path prefix by using URL-encoded paths (e.g., /%61dmin). The middie engine uses path-to-regexp for matching; the regex is applied to the undecoded...
CVE-2026-22031 Fastify Middie Middleware Path Bypass
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22031
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22031 Fastify Middie Middleware Path Bypass
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
@fastify/middie security vulnerabilities
@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie prior to 9.1.0 contained security vulnerabilities. These vulnerabilities were due to improper path prefix matching, which could allow the middleware to bypass security checks...
PT-2026-3448
Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.1.0 Description A security issue exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters. For example, using /%61dmin instead of /admin...
@fastify/express security vulnerability
@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express prior to 4.0.3 contained security vulnerabilities. These vulnerabilities were caused by improper path prefix matching, which could allow middleware to bypass security checks...
PT-2026-3452
Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.3 Description A security issue exists in the @fastify/express plugin, which provides Express compatibility for Fastify. The problem occurs when middleware is registered with a specific path prefix...
CVE-2023-29019
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation...
CVE-2022-31142
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750,...
CVE-2025-69211
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...
EUVD-2025-205611
Nest has a Fastify URL Encoding Middleware Bypass TOCTOU...
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...
GHSA-8WPR-639P-CCRJ Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the URL encoding middleware, allowing it to be bypassed in certain configurations. An...
CVE-2025-69211
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...
CVE-2025-69211
CVE-2025-69211 affects Nest.js applications using the Fastify platform integration before version 11.1.11. The issue is a bypass in the Fastify URL encoding middleware that can skip security checks implemented via NestMiddleware (via MiddlewareConsumer) or app.use(), particularly when middleware ...
CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...
CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...