641 matches found
CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions
Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...
Mercurius 安全漏洞
Mercurius is a GraphQL adapter Fastify. A security vulnerability exists in Mercurius versions prior to 10.5.0, which is caused by a denial of service attack when any user sends an incorrectly formatted packet to "/graphql" via WebSocket...
Cross-Site Request Forgery (CSRF)
fastify is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists due to the incorrect Content-Type used in the ContentTypeParser function of contentTypeParser.js, allowing an attacker to bypass the Pre-Flight checking of fetch.fetch requests with Content-Type’s as...
Fastify Cross-Site Request Forgery Vulnerability
Fastify is an OpenJS Foundation open source web framework for Node.js. Fastify A cross-site request forgery vulnerability exists in Fastify versions 3.0.0 and later, 3.29.4 and earlier, 4.0.0 and later, 4.10.2 and earlier, which can be exploited by an attacker to launch a cross-site request forge...
CVE-2022-41919
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
Cross site request forgery (csrf)
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
Fastify 跨站请求伪造漏洞
Fastify is an OpenJS Foundation open source web framework for Node.js. Fastify A cross-site request forgery vulnerability exists in Fastify versions 3.0.0 and later, 3.29.4 and earlier, 4.0.0 and later, 4.10.2 and earlier, which can be exploited by an attacker to launch a cross-site request forge...
CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
CVE-2022-41919
CVE-2022-41919 : Fastify (web framework) is vulnerable to a CSRF risk due to bypass of Pre-Flight checks when requests use a non-JSON Content-Type (e.g., application/x-www-form-urlencoded, multipart/form-data, text/plain). This can bypass CORS protections and enable unauthorized cross-site action...
CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
@aeppic/install-build-server (>=1.2.0 <=1.9.8), @aeppic/install-repository-server (>=1.2.2 <=2.0.2) +141 more potentially affected by CVE-2022-41919 via fastify (>=3.0.0 <=3.29.3)
fastify NPM version =3.0.0, =1.2.0, =1.2.2, =0.0.68, =0.0.5, =1.0.0, =2.0.0, =1.1.1, =1.0.0, =1.0.0, =1.0.0, =4.23.1, =2.7.0, =1.0.0, =1.3.0 - @bronosorg/graph-indexer-service =1.0.0 and more Source cves: CVE-2022-41919 Source advisory: OSV:GHSA-3FJJ-P79J-C9HH...
@falkor/falkor-auth-server (=1.1.1), @figedi/sentry-fastify (=1.0.6) +6 more potentially affected by CVE-2022-41919 via fastify (>=4.0.2 <=4.10.0)
fastify NPM version =4.0.2, =0.0.2, =0.0.16 - verdaccio =6.0.0-6-next.52 Source cves: CVE-2022-41919 Source advisory: OSV:GHSA-3FJJ-P79J-C9HH...
Fastify: Incorrect Content-Type parsing can lead to CSRF attack
Impact The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/js...
GHSA-3FJJ-P79J-C9HH Fastify: Incorrect Content-Type parsing can lead to CSRF attack
Impact The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/js...
PT-2022-26149 · Fastify · Fastify
Name of the Vulnerable Software and Affected Versions: Fastify versions prior to 3.29.4 Fastify versions prior to 4.10.2 Description: The issue allows an attacker to bypass the Pre-Flight checking of fetch by using an incorrect Content-Type. This could potentially be used to invoke routes that on...
Denial Of Service (DoS)
@fastify/websocket and fastify-websocket are vulnerable to denial of service. The vulnerability is due to the fastifyWebsocket function in index.js which crashes the application on an uncaught exception when processing a malformed packet...
CVE-2022-39386
@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....
Design/Logic Flaw
@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....
CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet
@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....