639 matches found
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...
CVE-2026-33805
A flaw was found in @fastify/reply-from and @fastify/http-proxy. A remote attacker can exploit this vulnerability by manipulating the Connection header in client requests. This allows the attacker to remove specific headers that the proxy has added for security, routing, or access control purpose...
CVE-2026-6414
A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass...
CVE-2026-6410
A flaw was found in @fastify/static. When directory listing is enabled, a remote unauthenticated attacker can exploit a path traversal vulnerability. This occurs because the dirList.path function incorrectly resolves directories outside the configured static root. Successful exploitation allows t...
CVE-2026-33804
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...
CVE-2026-6410
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...
CVE-2026-6270
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...
CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...
CVE-2026-33804
CVE-2026-33804 affects @fastify/middie v9.3.1 and earlier, where middleware bypass can occur when the deprecated top-level ignoreDuplicateSlashes option is enabled. The middleware’s path-matching does not account for duplicate-slash normalization performed by Fastify’s router, allowing requests w...
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
CVE-2026-6270
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
CVE-2026-6270
Summary : The vulnerability affects the Node.js module @fastify/middie, specifically versions 9.3.1 and earlier. The root cause is that inherited middleware is not registered on child plugin engine instances, so when a Fastify app registers authentication middleware in a parent scope and then loa...
CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...
@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +626 more potentially affected by CVE-2026-6410 via @fastify/static (>=8.0.0 <=9.1.0)
@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-6410 Source advisory: SNYK:JS-FASTIFYSTATIC-16098211...
CVE-2026-6410
Affected product/component: @fastify/static, versions 8.0.0–9.1.0. Root cause: dirList.path() uses path.join() to resolve directories outside the configured static root without containment checks, enabling path traversal when directory listing is enabled via the list option. Impact: remote unauth...
CVE-2026-6410
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...
CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...