VYPR
Vendor

Fastify

Products
22
CVEs
40
Across products
44
Status
Private

Products

22

Recent CVEs

40
View all 40 CVEs →
  • CVE-2026-25244CriMay 18, 2026
    risk 0.57cvss 9.8epss 0.04

    WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names…

  • CVE-2026-6270CriApr 16, 2026
    risk 0.52cvss 9.1epss 0.01

    @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does…

  • CVE-2026-33808CriApr 15, 2026
    risk 0.52cvss 9.1epss 0.00

    Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when…

  • CVE-2026-33807CriApr 15, 2026
    risk 0.52cvss 9.1epss 0.00

    @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed…

  • CVE-2026-2880CriFeb 27, 2026
    risk 0.52cvss 9.1epss 0.00

    A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes,…

  • CVE-2026-6322HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a…

  • CVE-2026-33805HigApr 15, 2026
    risk 0.49cvss 8.6epss 0.00

    @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests…

  • CVE-2026-22037HigJan 19, 2026
    risk 0.48cvss 8.4epss 0.00

    The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of…

  • CVE-2026-22031HigJan 19, 2026
    risk 0.48cvss 8.4epss 0.00

    @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin`…

  • CVE-2026-10796HigJun 4, 2026
    risk 0.42cvss 7.5epss 0.00

    nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization,…

  • CVE-2026-6321HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.00

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same…

  • CVE-2026-33806HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression…

  • CVE-2025-24033HigJan 23, 2025
    risk 0.42cvss 7.5epss 0.01

    @fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a…

  • CVE-2026-33804HigApr 16, 2026
    risk 0.41cvss 7.4epss 0.00

    @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing…

  • CVE-2024-35220HigMay 21, 2024
    risk 0.41cvss 7.4epss 0.00

    @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired…

  • CVE-2024-31999HigApr 10, 2024
    risk 0.41cvss 7.4epss 0.01

    @festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the…

  • CVE-2014-6393MedAug 9, 2017
    risk 0.40cvss 6.1epss 0.01

    The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

  • CVE-2026-3635MedMar 23, 2026
    risk 0.33cvss 6.1epss 0.00

    Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any…

  • CVE-2015-8856MedJan 23, 2017
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.

  • CVE-2026-6414MedApr 16, 2026
    risk 0.31cvss 5.9epss 0.00

    @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served…