Lucene search
K

351 matches found

Github Security Blog
Github Security Blog
added 2026/04/16 1:3 a.m.9 views

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/16 1:3 a.m.9 views

GHSA-6HW5-45GM-FJ88 @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

9.1CVSS5.9AI score0.00483EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/16 12:0 a.m.11 views

@fastify/middie 安全漏洞

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie 9.3.1 and earlier contained security vulnerabilities. These vulnerabilities occurred when the deprecated ignoreDuplicateSlashes option was enabled, as the middleware’s path matching logic did not...

9.1CVSS5.8AI score0.00278EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.8 views

PT-2026-33323

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description A middleware bypass exists when the deprecated ignoreDuplicateSlashes option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by the...

7.4CVSS5.7AI score0.00278EPSS
Exploits0References9
Snyk
Snyk
added 2026/04/15 11:15 a.m.6 views

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

9.1CVSS5.7AI score0.00483EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 9:29 a.m.33 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 9:29 a.m.3 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/15 9:29 a.m.5 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 9:29 a.m.22 views

CVE-2026-33808

CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.13 views

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...

10CVSS5.2AI score0.00483EPSS
Exploits1References11
NVD
NVD
added 2026/04/08 3:16 p.m.10 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS0.00376EPSS
Exploits0References1
NVD
NVD
added 2026/04/08 3:16 p.m.8 views

CVE-2026-39407

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS0.00459EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:41 p.m.2 views

CVE-2026-39407

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/08 2:41 p.m.20 views

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS0.00459EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/08 2:41 p.m.2 views

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References3
CVE
CVE
added 2026/04/08 2:41 p.m.36 views

CVE-2026-39407

Hono (Web framework) prior to 4.12.12 is affected by a path handling inconsistency in serveStatic: repeated slashes in the request path can bypass route-based middleware (e.g., /admin/*) and expose protected static files. The issue arises because the router may not match paths with // while serve...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 2:34 p.m.4 views

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/08 2:34 p.m.21 views

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS0.00376EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:34 p.m.5 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/08 2:34 p.m.26 views

CVE-2026-39406

The CVE concerns @hono/node-server where a path handling inconsistency in serveStatic allows bypassing route-based middleware via repeated slashes (//) in the request path. Before version 1.19.13, the router may not match paths containing repeated slashes (e.g., /admin/*) while serveStatic resolv...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder