Lucene search
K

38 matches found

NVD
NVD
added 2026/06/30 1:19 p.m.13 views

CVE-2026-6556

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS0.00295EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 12:48 p.m.31 views

CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS0.00295EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 12:48 p.m.16 views

CVE-2026-6556

The CVE concerns @fastify/express 4.0.6 and earlier, where non-string mount paths (arrays/regex) are not prefixed inside prefixed plugin scopes. This causes middleware registered with those forms to not match the actual prefixed request path, potentially bypassing path-scoped security middleware ...

9.1CVSS5.8AI score0.00295EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53878

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.7 Description A middleware scoping flaw exists where plugin prefixes are not applied to middleware mount paths when the mount path is provided as an array or a regular expression. This occurs due to...

9.1CVSS6AI score0.00295EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.4AI score0.00483EPSS
Exploits1References1
Veracode
Veracode
added 2026/04/16 7:14 a.m.7 views

Improper Access Control

@fastify/express is vulnerable to Improper Access Control. The vulnerability is due to incorrect path handling in the onRegister function, where middleware paths are duplicated when inherited by child plugins, causing them to not match incoming requests and resulting in bypass of security control...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/16 1:3 a.m.5 views

EUVD-2026-22881

@fastify/express has a middleware authentication bypass via URL normalization gaps duplicate slashes and semicolons...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/16 1:3 a.m.9 views

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/16 1:3 a.m.9 views

GHSA-6HW5-45GM-FJ88 @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/16 1:3 a.m.5 views

EUVD-2026-22880

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/16 1:3 a.m.8 views

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/16 1:3 a.m.3 views

GHSA-HRWM-HGMJ-7P9C @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

9.1CVSS5.8AI score0.00498EPSS
Exploits2References4
Snyk
Snyk
added 2026/04/15 11:15 a.m.7 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of middleware paths in the onRegister function. An attacker can gain unauthorized access to protected routes by exploiting t...

9.3CVSS5.7AI score0.0043EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.6 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

9.1CVSS5.7AI score0.00483EPSS
Exploits1References2
NVD
NVD
added 2026/04/15 10:16 a.m.23 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 9:52 a.m.29 views

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS0.0043EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 9:52 a.m.4 views

CVE-2026-33807

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/15 9:52 a.m.3 views

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 9:52 a.m.11 views

CVE-2026-33807

CVE-2026-33807 affects @fastify/express v4.0.4 and earlier. A path handling bug in onRegister doubles middleware paths when inherited by child plugins, causing the middleware to never match requests. This results in complete bypass of Express middleware security controls (authentication, authoriz...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/15 9:29 a.m.33 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
Rows per page
Query Builder