CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•45 views

Fastify Swagger-UI - Information Disclosure

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting th...

5.3CVSS6.1AI score0.02001EPSS

OSSF Malicious Packages•added 6 days ago•6 views

Malicious code in @mastra/fastify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8e3fd453d8d4b3cf403d6d1445b295c8de0462a463c857388fb6c800c7c897cd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.4AI score

OSV•added 6 days ago•7 views

MAL-2026-5949 Malicious code in @mastra/fastify (npm)

5.4AI score

Snyk•added 2026/06/15 8:36 p.m.•3 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00035EPSS

OSV•added 2026/06/15 8:36 p.m.•3 views

GHSA-6V32-FJC9-9QF6 Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

8.7CVSS5.3AI score0.00035EPSS

Github Security Blog•added 2026/06/15 8:36 p.m.•7 views

Nest: Middleware Bypass on Fastify via Trailing Slash

8.7CVSS5.3AI score0.00035EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/15 12:0 a.m.•5 views

PT-2026-49595

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24 Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes API. An unauthenticated client can bypass registered...

8.7CVSS5.4AI score0.00035EPSS

Exploits0References5

OSSF Malicious Packages•added 2026/06/11 5:11 a.m.•22 views

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

OSV•added 2026/06/11 5:11 a.m.•27 views

MAL-2026-5566 Malicious code in fastify-addon (npm)

OSV•added 2026/06/10 12:41 p.m.•7 views

MAL-2026-5503 Malicious code in plugin-fastify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 85454b4f6eb05f7133937ef6acbdd16ae04b31aaf2b4806bdcac1d845fb80d6c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/06/10 12:41 p.m.•11 views

Malicious code in plugin-fastify (npm)

RedhatCVE•added 2026/06/05 7:17 p.m.•7 views

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

9.1CVSS5.4AI score0.00278EPSS

RedhatCVE•added 2026/06/05 7:17 p.m.•7 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.4AI score0.00483EPSS

Exploits1References1

OSV•added 2026/05/08 5:13 p.m.•4 views

GHSA-QXHC-WX3P-2WMG @fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

Impact @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded. Under sustained load,...

7.5CVSS5.8AI score0.00284EPSS

Exploits0References4

Github Security Blog•added 2026/05/08 5:13 p.m.•14 views

@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

7.5CVSS5.8AI score0.00284EPSS

Exploits0References4Affected Software1

NVD•added 2026/05/08 4:16 p.m.•8 views

CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

8.6CVSS0.0031EPSS

Snyk•added 2026/05/04 9:28 p.m.•9 views

Allocation of Resources Without Limits or Throttling

Overview @fastify/accepts-serializer is a Serializer according to the accept header Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unbounded caching of serializer-selection results keyed by the Accept header. An attacker can exhaus...

8.7CVSS5.8AI score0.00284EPSS

NVD•added 2026/05/04 8:16 p.m.•11 views

CVE-2026-7768

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

7.5CVSS0.00284EPSS