MAL-2025-47663 Malicious code in example-fastify-web (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in example-fastify-web (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-47378 Malicious code in @art-ws/fastify-http-server (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2c40306cbe87fac1be79013ed5a824913519c2637c04ba13ca111504708d8264 Any computer that has this package installed or running should be considered fully compromised. All...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

@art-ws/fastify-http-server (>=2.0.1 <=2.0.23), @art-ws/openapi (>=0.1.1 <=0.1.8) potentially affected by unknown CVE via @art-ws/di (>=2.0.1 <=2.0.27)

@art-ws/di NPM version =2.0.1, =2.0.1, =0.1.1, =0.1.8 Source cves: unknown CVE Source advisory: SNYK:JS-ARTWSDI-12744471...

@art-ws/openapi (>=0.1.1 <=0.1.8) potentially affected by unknown CVE via @art-ws/fastify-http-server (>=2.0.15 <=2.0.23)

@art-ws/fastify-http-server NPM version =2.0.15, =0.1.1, =0.1.8 Source cves: unknown CVE Source advisory: SNYK:JS-ARTWSFASTIFYHTTPSERVER-12744474...

MAL-2025-41382 Malicious code in example-fastify-api (npm)

The package communicates with a domain associated with malicious activity...

Malicious code in example-fastify-api (npm)

The package communicates with a domain associated with malicious activity...

Security Bulletin: Vulnerabilities in Fastify affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Fastify has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-32442 DESCRIPTION: Fastify ...

CVE-2024-22207

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting th...

CVE-2023-25576

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an...

CVE-2023-29020

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF Cross-Site Request Forger protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers...

CVE-2023-51701

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks...

CVE-2023-22477

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...

CVE-2021-29624

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

CVE-2020-8192

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion when the allErrors option is used with specially crafted schemas...

CVE-2020-8136

Prototype pollution vulnerability in fastify-multipart 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request...

Exploit for CVE-2025-47240

Remote Code Execution via @fastify/view raw rendering Ve...

PT-2025-18960 · Unknown · Fastify/View

Name of the Vulnerable Software and Affected Versions: @fastify/view affected versions not specified Description: The issue concerns a potential Remote Code Execution RCE vulnerability in the @fastify/view plugin for Fastify, which allows the use of template engines for generating HTML pages on t...

Fastify: Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)

The @fastify/view plugin, when used with the EJS engine and the reply.view raw: pattern, allowed arbitrary EJS execution. This vulnerability arose from the fact that Fastify trusted the raw template string without sanitization or restrictions when passed directly to EJS's compile method, leading ...