14 matches found
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the propagation of middleware paths to child plugin scopes due to incorrect re-prefixing. An attacker can gain unauthorized access to protected routes by...
CVE-2026-6270
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
CVE-2026-6270
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...
Improper Access Control
@fastify/express is vulnerable to Improper Access Control. The vulnerability is due to incorrect path handling in the onRegister function, where middleware paths are duplicated when inherited by child plugins, causing them to not match incoming requests and resulting in bypass of security control...
GHSA-HRWM-HGMJ-7P9C @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...
EUVD-2026-22880
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes...
PT-2026-33320
Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description Inherited middleware is not registered directly on child plugin engine instances. When authentication middleware is registered in a parent scope and child plugins are registered with...
Interpretation Conflict
Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of middleware paths in the onRegister function. An attacker can gain unauthorized access to protected routes by exploiting t...
CVE-2026-33807
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...
CVE-2026-33807
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...
CVE-2026-33807
CVE-2026-33807 affects @fastify/express v4.0.4 and earlier. A path handling bug in onRegister doubles middleware paths when inherited by child plugins, causing the middleware to never match requests. This results in complete bypass of Express middleware security controls (authentication, authoriz...
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...
PT-2026-33034
Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description A path handling bug in the onRegister function causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix matching a middleware...