Lucene search
+L

11 matches found

Veracode
Veracode
added 2026/05/16 5:10 a.m.8 views

Improper Authorization

@fastify/express is vulnerable to Improper Authorization. The vulnerability is due to inconsistent URL normalization between Fastify and Express middleware, which allows an unauthenticated attacker to manipulate URL paths using duplicate slashes or semicolon delimiters to bypass path-based...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/16 1:3 a.m.10 views

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/16 1:3 a.m.9 views

GHSA-6HW5-45GM-FJ88 @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/15 11:15 a.m.6 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

9.1CVSS5.7AI score0.00483EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 9:29 a.m.3 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/15 9:29 a.m.5 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2025/11/05 1:11 p.m.8 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/04 8:2 p.m.5 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/04 7:51 p.m.5 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/03 8:27 p.m.5 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/03 8:18 p.m.6 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
Rows per page
Query Builder