Tag

Fastify

4 briefs RSS

Fastify accepts-serializer Denial of Service via Unbounded Accept Header Cache Growth

The @fastify/accepts-serializer package is vulnerable to a denial of service (DoS) attack due to unbounded cache growth, where an attacker can send many distinct Accept header variants, causing the cache to grow unbounded, exhausting the Node.js heap, and crashing the process.

@fastify/accepts-serializer dos denial-of-service fastify

2r 1t 1c May 8, 2026

high advisory

@fastify/middie Middleware Bypass Vulnerability (CVE-2026-33804)

2 rules 1 TTP 1 CVE

A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.

fastify middie middleware bypass cve-2026-33804 defense-evasion

2r 1t 1c Apr 16, 2026

critical advisory

Fastify Proxy Header Stripping Vulnerability

2 rules 2 TTPs

The `@fastify/reply-from` and `@fastify/http-proxy` libraries process the client's `Connection` header after adding headers, allowing attackers to strip proxy-added headers via the `Connection` header, leading to potential bypass of security controls.

fastify header stripping proxy vulnerability

2r 2t Apr 16, 2026

high advisory

Fastify Body Schema Validation Bypass via Leading Space in Content-Type Header

2 rules 1 TTP 2 CVEs

Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.

fastify validation-bypass webserver

2r 1t 2c Apr 15, 2026