{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fastify/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-33804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","middie","middleware","bypass","cve-2026-33804","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003e@fastify/middie, a Fastify middleware engine, is vulnerable to a significant security bypass. Specifically, versions 9.3.1 and earlier are susceptible when the deprecated Fastify \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option is enabled. This vulnerability, identified as CVE-2026-33804, arises because the middleware\u0026rsquo;s path matching logic fails to account for the duplicate slash normalization performed by Fastify\u0026rsquo;s router. Consequently, crafted HTTP requests containing duplicate slashes can circumvent middleware authentication and authorization checks, potentially granting unauthorized access to protected resources. This vulnerability only affects applications that are actively using the deprecated \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option. The recommended remediation is to upgrade to @fastify/middie version 9.3.2, which addresses this issue. Alternatively, disabling the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option can serve as a mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fastify application using @fastify/middie version 9.3.1 or earlier with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource. The request URI includes duplicate slashes (e.g., \u003ccode\u003e/api//resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is received by the Fastify server.\u003c/li\u003e\n\u003cli\u003eFastify\u0026rsquo;s router normalizes the duplicate slashes in the URI before passing it to the middleware.\u003c/li\u003e\n\u003cli\u003eThe middleware\u0026rsquo;s path matching logic fails to correctly handle the normalized URI due to the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eAs a result, the request bypasses the intended authentication and/or authorization checks implemented by the middleware.\u003c/li\u003e\n\u003cli\u003eThe request reaches the targeted resource, which is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the resource, potentially leading to data breaches, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized access to sensitive data or functionality within the Fastify application. The severity of the impact depends on the nature of the protected resources and the extent of the attacker\u0026rsquo;s access. This could lead to data breaches, privilege escalation, or other malicious activities. The number of potential victims is dependent on the number of applications using the vulnerable version of @fastify/middie with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @fastify/middie to version 9.3.2 or later to patch the vulnerability described in CVE-2026-33804.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option in Fastify configurations as an alternative mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectFastifyMiddieBypassAttempt\u003c/code\u003e to identify potential exploitation attempts based on duplicate slashes in the request URI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T15:17:34Z","date_published":"2026-04-16T15:17:34Z","id":"/briefs/2026-04-fastify-middie-bypass/","summary":"A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.","title":"@fastify/middie Middleware Bypass Vulnerability (CVE-2026-33804)","url":"https://feed.craftedsignal.io/briefs/2026-04-fastify-middie-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["fastify","header stripping","proxy vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e libraries are vulnerable to a header stripping attack. This vulnerability stems from the incorrect processing order of the \u003ccode\u003eConnection\u003c/code\u003e header. The client\u0026rsquo;s \u003ccode\u003eConnection\u003c/code\u003e header is processed \u003cem\u003eafter\u003c/em\u003e the proxy has added custom headers via the \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e function. This allows an attacker to retroactively remove headers added by the proxy by simply listing them in the \u003ccode\u003eConnection\u003c/code\u003e header. This affects any application leveraging these plugins where custom headers are injected for routing, access control, or other security purposes. All versions of both \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e are affected. The vulnerability can be exploited without any special configuration. This undermines the intended function of a proxy as a trusted intermediary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA client crafts a request containing a \u003ccode\u003eConnection\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe client sends the crafted request to a Fastify proxy server using \u003ccode\u003e@fastify/reply-from\u003c/code\u003e or \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe proxy receives the request and copies all client headers, including the \u003ccode\u003eConnection\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe proxy, using \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e, adds custom headers (e.g., \u003ccode\u003ex-forwarded-by\u003c/code\u003e) to the request.\u003c/li\u003e\n\u003cli\u003eThe proxy\u0026rsquo;s transport handler processes the \u003ccode\u003eConnection\u003c/code\u003e header from the client.\u003c/li\u003e\n\u003cli\u003eHeaders listed in the client\u0026rsquo;s \u003ccode\u003eConnection\u003c/code\u003e header, including proxy-added headers, are stripped from the upstream request.\u003c/li\u003e\n\u003cli\u003eThe modified request, with stripped headers, is forwarded to the upstream server.\u003c/li\u003e\n\u003cli\u003eThe upstream server receives the request with missing headers, potentially bypassing security checks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls implemented by the proxy. This includes bypassing proxy identification, circumventing access control mechanisms, and removing arbitrary headers. For example, an attacker can strip headers like \u003ccode\u003ex-forwarded-by\u003c/code\u003e to avoid detection, or remove authentication headers like \u003ccode\u003eauthorization\u003c/code\u003e or custom access control headers like \u003ccode\u003ex-internal-auth\u003c/code\u003e to gain unauthorized access to resources. The number of victims depends on the prevalence of vulnerable Fastify deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to patched versions of \u003ccode\u003e@fastify/reply-from\u003c/code\u003e and \u003ccode\u003e@fastify/http-proxy\u003c/code\u003e when available.\u003c/li\u003e\n\u003cli\u003eAs a workaround, avoid using \u003ccode\u003erewriteRequestHeaders\u003c/code\u003e to inject security-critical headers into requests.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject requests containing a \u003ccode\u003eConnection\u003c/code\u003e header that attempts to remove security-sensitive headers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing \u003ccode\u003eConnection\u003c/code\u003e headers listing custom or security-related headers as a sign of potential exploitation (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:02:59Z","date_published":"2026-04-16T01:02:59Z","id":"/briefs/2026-04-fastify-header-strip/","summary":"The `@fastify/reply-from` and `@fastify/http-proxy` libraries process the client's `Connection` header after adding headers, allowing attackers to strip proxy-added headers via the `Connection` header, leading to potential bypass of security controls.","title":"Fastify Proxy Header Stripping Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-fastify-header-strip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33806"},{"cvss":7.5,"id":"CVE-2025-32442"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","validation-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFastify v5.x (specifically versions 5.3.2 through 5.8.4) contains a vulnerability where request body validation schemas specified via \u003ccode\u003eschema.body.content\u003c/code\u003e can be bypassed by prepending a single space character (\u003ccode\u003e\\x20\u003c/code\u003e) to the \u003ccode\u003eContent-Type\u003c/code\u003e header. This flaw, assigned CVE-2026-33806, arises from inconsistent handling of the Content-Type header during parsing and validation.  The body is parsed correctly as JSON, but schema validation is skipped entirely. This is a regression introduced by commit \u003ccode\u003ef3d2bcb\u003c/code\u003e (April 18, 2025), a fix for CVE-2025-32442. This vulnerability allows attackers to send malicious payloads that bypass intended data integrity and security checks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Fastify application using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request with a JSON payload designed to violate the validation schema (e.g., exceeding allowed amount or injecting invalid admin value).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends a single space character to the \u003ccode\u003eContent-Type\u003c/code\u003e header (e.g., \u003ccode\u003e Content-Type: application/json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Fastify server parses the \u003ccode\u003eContent-Type\u003c/code\u003e header using \u003ccode\u003elib/validation.js\u003c/code\u003e which splits the string, resulting in an empty string content type.\u003c/li\u003e\n\u003cli\u003eThe server fails to locate a validator associated with the empty string content type.\u003c/li\u003e\n\u003cli\u003eRequest body validation is skipped, and the malicious payload is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the invalid data, potentially leading to unauthorized actions or data corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as transferring an excessive amount, manipulating data, or gaining unauthorized privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability affects Fastify applications using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation. By prepending a single space to the Content-Type header, attackers can bypass these validations. Successful exploitation allows an attacker to inject malicious payloads, leading to data corruption, unauthorized access, or other security breaches. While the exact number of victims is unknown, any application within the vulnerable version range is susceptible. This vulnerability requires no authentication and has zero complexity — it is a single-character modification to an HTTP header.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding \u003ccode\u003etrimStart()\u003c/code\u003e before the split in \u003ccode\u003egetEssenceMediaType\u003c/code\u003e within the Fastify framework to address CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fastify Validation Bypass Attempt\u0026rdquo; to your SIEM to identify attempts to exploit this vulnerability by monitoring for requests with leading spaces in the Content-Type header.\u003c/li\u003e\n\u003cli\u003eUpgrade Fastify to a version beyond 5.8.4 to mitigate CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eReview all Fastify routes that use \u003ccode\u003eschema.body.content\u003c/code\u003e for potential vulnerabilities related to content-type validation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:26:39Z","date_published":"2026-04-15T19:26:39Z","id":"/briefs/2026-06-27-fastify-validation-bypass/","summary":"Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.","title":"Fastify Body Schema Validation Bypass via Leading Space in Content-Type Header","url":"https://feed.craftedsignal.io/briefs/2026-06-27-fastify-validation-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Fastify","version":"https://jsonfeed.org/version/1.1"}