8 matches found
next-intl 安全漏洞
next-intl is a Next.js solution developed by Jan Amann. Versions of next-intl prior to 4.9.1 contained a security vulnerability, which was caused by improper handling of middleware pathing, potentially leading to redirection to untrusted hosts...
GHSA-HRWM-HGMJ-7P9C @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...
CVE-2026-33807
CVE-2026-33807 affects @fastify/express v4.0.4 and earlier. A path handling bug in onRegister doubles middleware paths when inherited by child plugins, causing the middleware to never match requests. This results in complete bypass of Express middleware security controls (authentication, authoriz...
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2025-64765
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the...
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the middleware uses context.url.pathname without applying the...
CVE-2025-64765
Astro (web framework) vulnerability CVE-2025-64765 and related advisories describe a path normalization mismatch: Astro uses decodeURI for routing, while middleware reads context.url.pathname without the same normalization. This permits bypassing path-based authentication by double-encoded URLs (...
PT-2025-47489
Name of the Vulnerable Software and Affected Versions Astro versions prior to 5.15.8 Description Astro versions prior to 5.15.8 contain a path normalization discrepancy between how the framework routes requests and how middleware validates them. Astro uses decodeURI to determine the route, while...