| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-33804 | @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option | @fastify/middie | @fastify/middie | High | 7.4 | 2026-04-16 13:56:56 | Deep Dive |
| CVE-2026-6270 | @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes | @fastify/middie | @fastify/middie | Critical | 9.1 | 2026-04-16 13:44:46 | Deep Dive |
| CVE-2026-6410 | @fastify/static vulnerable to path traversal in directory listing | @fastify/static | @fastify/static | Medium | 5.3 | 2026-04-16 13:29:08 | Deep Dive |
| CVE-2026-6414 | @fastify/static vulnerable to route guard bypass via encoded path separators | @fastify/static | @fastify/static | Medium | 5.9 | 2026-04-16 13:09:04 | Deep Dive |
| CVE-2026-33805 | @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers | @fastify/reply-from | @fastify/reply-from | 中危 | - | 2026-04-15 10:13:25 | Deep Dive |
| CVE-2026-33807 | @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes | fastify | @fastify/express | Critical | 9.1 | 2026-04-15 09:52:27 | Deep Dive |
| CVE-2026-33808 | @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) | fastify | @fastify/express | 中危 | - | 2026-04-15 09:29:46 | Deep Dive |
| CVE-2026-33806 | fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header | fastify | fastify | High | 7.5 | 2026-04-15 00:14:02 | Deep Dive |
| CVE-2026-3635 | Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function | fastify | fastify | Medium | 6.1 | 2026-03-23 13:53:00 | Deep Dive |
| CVE-2026-3419 | Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation | fastify | fastify | Medium | 5.3 | 2026-03-06 17:50:59 | Deep Dive |
| CVE-2026-2880 | @fastify/middie has an improper path normalization vulnerability | @fastify/middie | @fastify/middie | 中危 | - | 2026-02-27 18:25:37 | Deep Dive |
| CVE-2026-25223 | Fastify's Content-Type header tab character allows body validation bypass | fastify | fastify | High | 7.5 | 2026-02-03 21:21:40 | Deep Dive |
| CVE-2026-25224 | Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream | fastify | fastify | Low | 3.7 | 2026-02-03 21:21:35 | Deep Dive |
| CVE-2026-22037 | @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) | fastify | fastify-express | High | 8.4 | 2026-01-19 16:48:11 | Deep Dive |
| CVE-2026-22031 | Fastify Middie Middleware Path Bypass | fastify | middie | High | 8.4 | 2026-01-19 15:24:46 | Deep Dive |
| CVE-2025-66415 | fastify-reply-from bypass of reply forwarding | fastify | fastify-reply-from | - | - | 2025-12-01 22:39:32 | Deep Dive |
| CVE-2025-32442 | Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass | fastify | fastify | High | 7.5 | 2025-04-18 15:59:07 | Deep Dive |
| CVE-2025-24033 | @fastify/multipart vulnerable to unlimited consumption of resources | fastify | fastify-multipart | High | 7.5 | 2025-01-23 17:40:56 | Deep Dive |
| CVE-2024-35220 | @fastify/session reuses destroyed session cookie | fastify | session | High | 7.4 | 2024-05-21 20:26:53 | Deep Dive |
| CVE-2024-31999 | @fastify/secure-session: Reuse of destroyed secure session cookie | fastify | fastify-secure-session | High | 7.4 | 2024-04-10 21:59:54 | Deep Dive |