@fastify/middie 安全漏洞

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie 9.3.1 and earlier contained security vulnerabilities. These vulnerabilities occurred when the deprecated ignoreDuplicateSlashes option was enabled, as the middleware’s path matching logic did not...

@fastify/middie 安全漏洞

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie prior to 9.3.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of registration of inherited middleware on sub-plugin engine instances, which could lead to bypassin...

Fastify-Static 安全漏洞

Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 contain security vulnerabilities. These vulnerabilities stem from decoding percent-encoded path separators, which may allow...

Fastify-Static 安全漏洞

Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 have security vulnerabilities; these vulnerabilities stem from path traversal when directory listings are enabled, which may lead...

PT-2026-33313

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description @fastify/static decodes percent-encoded path separators '%2F' before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a...

PT-2026-33323

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description A middleware bypass exists when the deprecated ignoreDuplicateSlashes option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by the...

PT-2026-33321

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description Path traversal occurs when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a...

CVE-2026-33806

A flaw was found in Fastify. A remote attacker could exploit this vulnerability by prepending a space to the Content-Type header in a request. This action bypasses the application's schema validation, allowing the attacker to submit data that would otherwise be rejected. This could lead to...

@amedia/brick-mcp (>=0.0.0-vBRAND-20260313141110 <=1.0.3), @area15/ticket-component (=0.1.0) +217 more potentially affected by CVE-2025-32442 +1 more via fastify (>=5.3.2 <=5.8.4)

fastify NPM version =5.3.2, =0.0.0-vBRAND-20260313141110, =2.0.1, =1.1.1, =0.6.2, =0.1.1, =0.1.1, =0.6.0, =0.1.1, =0.0.35, =0.0.82, =0.0.1, =0.0.6, =0.1.68, =0.1.0, =0.8.2 and more Source cves: CVE-2025-32442, CVE-2026-33806 Source advisory: OSV:GHSA-247C-9743-5963...

EUVD-2026-22818

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header...

GHSA-247C-9743-5963 Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Summary A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character \x20 to the Content-Type header. The body is still parsed correctly as JSON or any other...

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Summary A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character \x20 to the Content-Type header. The body is still parsed correctly as JSON or any other...

CVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33807 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33807 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068280...

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of middleware paths in the onRegister function. An attacker can gain unauthorized access to protected routes by exploiting t...

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33808 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33808 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068303...

HTTP Header Injection

Overview @fastify/http-proxy is a proxy http requests, for Fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for routing, access control,...

HTTP Header Injection

Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for...

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...