Lucene search
K

56 matches found

NVD
NVD
added 4 hours ago5 views

CVE-2026-14181

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS
Exploits0References2
NVD
NVD
added 4 hours ago4 views

CVE-2026-14198

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS
Exploits0References2
EUVD
EUVD
added 4 hours ago3 views

EUVD-2026-40947

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS5.8AI score
Exploits0References2
CVE
CVE
added 5 hours ago10 views

CVE-2026-14198

The CVE-2026-14198 entry concerns @fastify/middie versions 9.1.0–9.3.2, where encoded slashes (%2F) in path parameter values are decoded by middie but not by Fastify’s router during route lookup. This mismatch lets a crafted URL bypass middleware-based security (authentication/authorization/rate ...

9.1CVSS5.8AI score
Exploits0References2
EUVD
EUVD
added 5 hours ago3 views

EUVD-2026-40946

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS5.8AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-6270

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...

9.1CVSS5.4AI score0.00498EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

9.1CVSS5.4AI score0.00278EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/16 10:29 p.m.3 views

EUVD-2026-23241

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes...

9.1CVSS5.8AI score0.00498EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/16 10:29 p.m.6 views

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Impact @fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fail...

9.1CVSS5.8AI score0.00498EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/16 10:29 p.m.7 views

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +10 more potentially affected by CVE-2026-6270 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-6270 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098213...

9.1CVSS5.7AI score0.00498EPSS
Exploits1
OSV
OSV
added 2026/04/16 10:29 p.m.3 views

GHSA-72C6-FX6Q-FR5W @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Impact @fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fail...

9.1CVSS5.8AI score0.00498EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/16 10:28 p.m.8 views

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...

9.1CVSS5.8AI score0.00278EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/16 10:28 p.m.4 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...

9.1CVSS5.7AI score0.00278EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/16 10:28 p.m.7 views

EUVD-2026-23235

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option...

7.4CVSS5.8AI score0.00278EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/04/16 10:28 p.m.7 views

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +10 more potentially affected by CVE-2026-33804 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-33804 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098212...

9.1CVSS5.7AI score0.00278EPSS
Exploits0
OSV
OSV
added 2026/04/16 10:28 p.m.3 views

GHSA-V9WW-2J6R-98Q6 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...

7.4CVSS5.8AI score0.00278EPSS
Exploits0References4
NVD
NVD
added 2026/04/16 3:17 p.m.4 views

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

9.1CVSS0.00278EPSS
Exploits0References2
NVD
NVD
added 2026/04/16 2:16 p.m.4 views

CVE-2026-6270

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...

9.1CVSS0.00498EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/16 1:56 p.m.4 views

CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

7.4CVSS5.8AI score0.00278EPSS
Exploits0References2
CVE
CVE
added 2026/04/16 1:56 p.m.9 views

CVE-2026-33804

CVE-2026-33804 affects @fastify/middie v9.3.1 and earlier, where middleware bypass can occur when the deprecated top-level ignoreDuplicateSlashes option is enabled. The middleware’s path-matching does not account for duplicate-slash normalization performed by Fastify’s router, allowing requests w...

9.1CVSS5.8AI score0.00278EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder