Lucene search
K

650 matches found

Github Security Blog
Github Security Blog
added 2026/04/15 7:24 p.m.9 views

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Summary A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character \x20 to the Content-Type header. The body is still parsed correctly as JSON or any other...

7.5CVSS7AI score0.0077EPSS
Exploits1References8Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/15 7:24 p.m.7 views

@amedia/brick-mcp (>=0.0.0-vBRAND-20260313141110 <=1.0.3), @area15/ticket-component (=0.1.0) +170 more potentially affected by CVE-2025-32442 +1 more via fastify (>=5.3.2 <=5.8.4)

fastify NPM version =5.3.2, =0.0.0-vBRAND-20260313141110, =2.0.1, =1.1.1, =0.6.2, =0.1.1, =0.1.1, =0.6.0, =0.1.1, =0.0.35, =0.0.82, =0.0.1, =0.0.6, =0.1.68, =0.1.0, =0.8.2 and more Source cves: CVE-2025-32442, CVE-2026-33806 Source advisory: OSV:GHSA-247C-9743-5963...

7.5CVSS7AI score0.00635EPSS
Exploits1
OSV
OSV
added 2026/04/15 7:24 p.m.3 views

GHSA-247C-9743-5963 Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Summary A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character \x20 to the Content-Type header. The body is still parsed correctly as JSON or any other...

7.5CVSS5.7AI score0.00635EPSS
Exploits1References8
EUVD
EUVD
added 2026/04/15 7:24 p.m.5 views

EUVD-2026-22818

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header...

7.5CVSS7.1AI score0.00635EPSS
Exploits1References6
NVD
NVD
added 2026/04/15 11:16 a.m.8 views

CVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

9CVSS0.00441EPSS
Exploits1References6
Snyk
Snyk
added 2026/04/15 11:15 a.m.7 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of middleware paths in the onRegister function. An attacker can gain unauthorized access to protected routes by exploiting t...

9.3CVSS5.7AI score0.0043EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.5 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

9.1CVSS5.7AI score0.00483EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.6 views

HTTP Header Injection

Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for...

9CVSS5.8AI score0.00441EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.6 views

HTTP Header Injection

Overview @fastify/http-proxy is a proxy http requests, for Fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for routing, access control,...

9CVSS5.8AI score0.00441EPSS
Exploits1References2
NVD
NVD
added 2026/04/15 10:16 a.m.15 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 10:13 a.m.36 views

CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

9CVSS0.00441EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/15 10:13 a.m.5 views

CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

9CVSS5.8AI score0.00441EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 10:13 a.m.23 views

CVE-2026-33805

CVE-2026-33805 affects @fastify/reply-from &lt;= v12.6.1 and @fastify/http-proxy

9CVSS5.8AI score0.00441EPSS
Exploits1References6Affected Software2
ATTACKERKB
ATTACKERKB
added 2026/04/15 9:52 a.m.4 views

CVE-2026-33807

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References3
CVE
CVE
added 2026/04/15 9:52 a.m.10 views

CVE-2026-33807

CVE-2026-33807 affects @fastify/express v4.0.4 and earlier. A path handling bug in onRegister doubles middleware paths when inherited by child plugins, causing the middleware to never match requests. This results in complete bypass of Express middleware security controls (authentication, authoriz...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/15 9:52 a.m.3 views

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 9:52 a.m.28 views

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

9.1CVSS0.0043EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/15 9:29 a.m.5 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 9:29 a.m.3 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
CVE
CVE
added 2026/04/15 9:29 a.m.20 views

CVE-2026-33808

CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder