VYPR

Vendor CVEs

Fastify

All CVEs

40 total · sorted by risk
  • CVE-2026-25244CriMay 18, 2026
    risk 0.57cvss 9.8epss 0.04

    WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names…

  • CVE-2026-6270CriApr 16, 2026
    risk 0.52cvss 9.1epss 0.01

    @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does…

  • CVE-2026-33808CriApr 15, 2026
    risk 0.52cvss 9.1epss 0.00

    Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when…

  • CVE-2026-33807CriApr 15, 2026
    risk 0.52cvss 9.1epss 0.00

    @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed…

  • CVE-2026-2880CriFeb 27, 2026
    risk 0.52cvss 9.1epss 0.00

    A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes,…

  • CVE-2026-6322HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a…

  • CVE-2026-33805HigApr 15, 2026
    risk 0.49cvss 8.6epss 0.00

    @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests…

  • CVE-2026-22037HigJan 19, 2026
    risk 0.48cvss 8.4epss 0.00

    The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of…

  • CVE-2026-22031HigJan 19, 2026
    risk 0.48cvss 8.4epss 0.00

    @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin`…

  • CVE-2026-10796HigJun 4, 2026
    risk 0.42cvss 7.5epss 0.00

    nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization,…

  • CVE-2026-6321HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.00

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same…

  • CVE-2026-33806HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression…

  • CVE-2025-24033HigJan 23, 2025
    risk 0.42cvss 7.5epss 0.01

    @fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a…

  • CVE-2026-33804HigApr 16, 2026
    risk 0.41cvss 7.4epss 0.00

    @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing…

  • CVE-2024-35220HigMay 21, 2024
    risk 0.41cvss 7.4epss 0.00

    @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired…

  • CVE-2024-31999HigApr 10, 2024
    risk 0.41cvss 7.4epss 0.01

    @festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the…

  • CVE-2014-6393MedAug 9, 2017
    risk 0.40cvss 6.1epss 0.01

    The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

  • CVE-2026-3635MedMar 23, 2026
    risk 0.33cvss 6.1epss 0.00

    Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any…

  • CVE-2015-8856MedJan 23, 2017
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.

  • CVE-2026-6414MedApr 16, 2026
    risk 0.31cvss 5.9epss 0.00

    @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served…

  • CVE-2026-6410MedApr 16, 2026
    risk 0.27cvss 5.3epss 0.01

    @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated…

  • CVE-2026-3419Mar 6, 2026
    risk 0.00cvss epss 0.00

    Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json…

  • CVE-2026-25223Feb 3, 2026
    risk 0.00cvss epss 0.01

    Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed…

  • CVE-2026-25224Feb 3, 2026
    risk 0.00cvss epss 0.00

    Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a…

  • CVE-2025-66415Dec 1, 2025
    risk 0.00cvss epss 0.00

    fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from.…

  • CVE-2025-32442Apr 18, 2025
    risk 0.00cvss epss 0.01

    Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_…

  • CVE-2024-22207Jan 15, 2024
    risk 0.00cvss epss 0.02

    fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is…

  • CVE-2023-51701Jan 8, 2024
    risk 0.00cvss epss 0.00

    fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to…

  • CVE-2023-29020Apr 21, 2023
    risk 0.00cvss epss 0.00

    @fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network…

  • CVE-2023-29019Apr 21, 2023
    risk 0.00cvss epss 0.01

    @fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to…

  • CVE-2023-27495Apr 20, 2023
    risk 0.00cvss epss 0.00

    @fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions.…

  • CVE-2023-25576Feb 14, 2023
    risk 0.00cvss epss 0.01

    @fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body…

  • CVE-2022-41919Nov 22, 2022
    risk 0.00cvss epss 0.00

    Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded",…

  • CVE-2022-39288Oct 10, 2022
    risk 0.00cvss epss 0.59

    fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue…

  • CVE-2022-31142Jul 14, 2022
    risk 0.00cvss epss 0.01

    @fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the…

  • CVE-2022-29220May 31, 2022
    risk 0.00cvss epss 0.00

    github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check…

  • CVE-2021-29624May 19, 2021
    risk 0.00cvss epss 0.01

    fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform…

  • CVE-2021-21321Mar 2, 2021
    risk 0.00cvss epss 0.02

    fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of…

  • CVE-2021-21322Mar 2, 2021
    risk 0.00cvss epss 0.02

    fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user…

  • CVE-2018-17981Jan 22, 2020
    risk 0.00cvss epss 0.01

    Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter.