651 matches found
CVE-2026-33808
CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...
CVE-2026-33806
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...
Improper Validation of Specified Type of Input
Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the schema.body.content when a space is prepended to the Content-Type header. An attacker can bypass input validation by sending...
0uth (>=1.0.5 <=1.2.1), @___d/common (>=1.0.3 <=1.0.27) +2466 more potentially affected by CVE-2026-33806 via fastify (>=4.29.0 <=5.8.4)
fastify NPM version =4.29.0, =1.0.5, =1.0.3, =0.0.3, =1.0.0, =3.0.0, =0.1.0, =0.0.1, =0.1.0, =2.0.0, =1.0.1, =1.6.2, =1.0.3, =0.3.3, =0.7.3 and more Source cves: CVE-2026-33806 Source advisory: SNYK:JS-FASTIFY-16066793...
CVE-2026-33806 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...
CVE-2026-33806
Summary: CVE-2026-33806 affects Fastify where, in applications using schema.body.content, a leading space in the Content-Type header can bypass per-content-type body validation while the body is parsed normally. This is a regression introduced in Fastify >= 5.3.2 as a follow-up to CVE-2025-324...
CVE-2026-33806 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...
CVE-2026-33806
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...
fastify/reply-from和fastify/http-proxy 安全漏洞
fastify/reply-from and fastify/http-proxy are both products from the Fastify open-source project. fastify/reply-from is a plugin designed to forward incoming HTTP requests to another server. fastify/http-proxy is a full-featured HTTP proxy plugin that supports proxying WebSocket connections and...
Fastify 安全漏洞
Fastify is an open-source web framework developed by Fastify. Versions of Fastify prior to 5.8.5 contained security vulnerabilities. These vulnerabilities stemmed from the use of schema.body.content for content-type-based validation. By adding a space before the Content-Type header, the validatio...
@fastify/express 安全漏洞
@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express 4.0.4 and earlier contain security vulnerabilities. These vulnerabilities arise from failing to normalize URLs before passing them to Express middleware when the Fastify router normalization option is...
@fastify/express 安全漏洞
@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express 4.0.4 and earlier contain security vulnerabilities. These vulnerabilities stem from errors in path handling within the onRegister function, which cause the middleware paths to be added repeatedly when...
PT-2026-33035
Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...
PT-2026-33000
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...
CVE-2026-34076
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...
CVE-2026-34076
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...
CVE-2026-34076
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...
CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...
CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...