https://feed.craftedsignal.io/tags/fastify/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 16 Apr 2026 15:17:34 +0000https://feed.craftedsignal.io/briefs/2026-04-fastify-middie-bypass/Thu, 16 Apr 2026 15:17:34 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-fastify-middie-bypass/A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.@fastify/middie, a Fastify middleware engine, is vulnerable to a significant security bypass. Specifically, versions 9.3.1 and earlier are susceptible when the deprecated Fastify ignoreDuplicateSlashes option is enabled. This vulnerability, identified as CVE-2026-33804, arises because the middleware’s path matching logic fails to account for the duplicate slash normalization performed by Fastify’s router. Consequently, crafted HTTP requests containing duplicate slashes can circumvent middleware authentication and authorization checks, potentially granting unauthorized access to protected resources. This vulnerability only affects applications that are actively using the deprecated ignoreDuplicateSlashes option. The recommended remediation is to upgrade to @fastify/middie version 9.3.2, which addresses this issue. Alternatively, disabling the ignoreDuplicateSlashes option can serve as a mitigation.

Attack Chain

1. An attacker identifies a Fastify application using @fastify/middie version 9.3.1 or earlier with the ignoreDuplicateSlashes option enabled.
2. The attacker crafts a malicious HTTP request targeting a protected resource. The request URI includes duplicate slashes (e.g., /api//resource).
3. The request is received by the Fastify server.
4. Fastify’s router normalizes the duplicate slashes in the URI before passing it to the middleware.
5. The middleware’s path matching logic fails to correctly handle the normalized URI due to the ignoreDuplicateSlashes setting.
6. As a result, the request bypasses the intended authentication and/or authorization checks implemented by the middleware.
7. The request reaches the targeted resource, which is processed by the application.
8. The attacker gains unauthorized access to the resource, potentially leading to data breaches, privilege escalation, or other malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized access to sensitive data or functionality within the Fastify application. The severity of the impact depends on the nature of the protected resources and the extent of the attacker’s access. This could lead to data breaches, privilege escalation, or other malicious activities. The number of potential victims is dependent on the number of applications using the vulnerable version of @fastify/middie with the ignoreDuplicateSlashes option enabled.

Recommendation

• Upgrade @fastify/middie to version 9.3.2 or later to patch the vulnerability described in CVE-2026-33804.
• Disable the ignoreDuplicateSlashes option in Fastify configurations as an alternative mitigation.
• Deploy the Sigma rule DetectFastifyMiddieBypassAttempt to identify potential exploitation attempts based on duplicate slashes in the request URI.

]]>highadvisoryfastifymiddiemiddlewarebypasscve-2026-33804defense-evasionhttps://feed.craftedsignal.io/briefs/2026-04-fastify-header-strip/Thu, 16 Apr 2026 01:02:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-fastify-header-strip/The `@fastify/reply-from` and `@fastify/http-proxy` libraries process the client's `Connection` header after adding headers, allowing attackers to strip proxy-added headers via the `Connection` header, leading to potential bypass of security controls.The @fastify/reply-from and @fastify/http-proxy libraries are vulnerable to a header stripping attack. This vulnerability stems from the incorrect processing order of the Connection header. The client’s Connection header is processed after the proxy has added custom headers via the rewriteRequestHeaders function. This allows an attacker to retroactively remove headers added by the proxy by simply listing them in the Connection header. This affects any application leveraging these plugins where custom headers are injected for routing, access control, or other security purposes. All versions of both @fastify/reply-from and @fastify/http-proxy are affected. The vulnerability can be exploited without any special configuration. This undermines the intended function of a proxy as a trusted intermediary.

Attack Chain

1. A client crafts a request containing a Connection header.
2. The client sends the crafted request to a Fastify proxy server using @fastify/reply-from or @fastify/http-proxy.
3. The proxy receives the request and copies all client headers, including the Connection header.
4. The proxy, using rewriteRequestHeaders, adds custom headers (e.g., x-forwarded-by) to the request.
5. The proxy’s transport handler processes the Connection header from the client.
6. Headers listed in the client’s Connection header, including proxy-added headers, are stripped from the upstream request.
7. The modified request, with stripped headers, is forwarded to the upstream server.
8. The upstream server receives the request with missing headers, potentially bypassing security checks.

Impact

Successful exploitation allows attackers to bypass security controls implemented by the proxy. This includes bypassing proxy identification, circumventing access control mechanisms, and removing arbitrary headers. For example, an attacker can strip headers like x-forwarded-by to avoid detection, or remove authentication headers like authorization or custom access control headers like x-internal-auth to gain unauthorized access to resources. The number of victims depends on the prevalence of vulnerable Fastify deployments.

Recommendation

• Upgrade to patched versions of @fastify/reply-from and @fastify/http-proxy when available.
• As a workaround, avoid using rewriteRequestHeaders to inject security-critical headers into requests.
• Implement input validation to sanitize or reject requests containing a Connection header that attempts to remove security-sensitive headers.
• Monitor web server logs for requests containing Connection headers listing custom or security-related headers as a sign of potential exploitation (see Sigma rule below).

]]>criticaladvisoryfastifyheader strippingproxy vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-06-27-fastify-validation-bypass/Wed, 15 Apr 2026 19:26:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-27-fastify-validation-bypass/Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.Fastify v5.x (specifically versions 5.3.2 through 5.8.4) contains a vulnerability where request body validation schemas specified via schema.body.content can be bypassed by prepending a single space character (\x20) to the Content-Type header. This flaw, assigned CVE-2026-33806, arises from inconsistent handling of the Content-Type header during parsing and validation. The body is parsed correctly as JSON, but schema validation is skipped entirely. This is a regression introduced by commit f3d2bcb (April 18, 2025), a fix for CVE-2025-32442. This vulnerability allows attackers to send malicious payloads that bypass intended data integrity and security checks.

Attack Chain

1. The attacker identifies a Fastify application using schema.body.content for request body validation.
2. The attacker crafts a malicious HTTP POST request with a JSON payload designed to violate the validation schema (e.g., exceeding allowed amount or injecting invalid admin value).
3. The attacker prepends a single space character to the Content-Type header (e.g., Content-Type: application/json).
4. The Fastify server parses the Content-Type header using lib/validation.js which splits the string, resulting in an empty string content type.
5. The server fails to locate a validator associated with the empty string content type.
6. Request body validation is skipped, and the malicious payload is processed by the application.
7. The application processes the invalid data, potentially leading to unauthorized actions or data corruption.
8. The attacker achieves their objective, such as transferring an excessive amount, manipulating data, or gaining unauthorized privileges.

Impact

This vulnerability affects Fastify applications using schema.body.content for request body validation. By prepending a single space to the Content-Type header, attackers can bypass these validations. Successful exploitation allows an attacker to inject malicious payloads, leading to data corruption, unauthorized access, or other security breaches. While the exact number of victims is unknown, any application within the vulnerable version range is susceptible. This vulnerability requires no authentication and has zero complexity — it is a single-character modification to an HTTP header.

Recommendation

• Apply the recommended fix by adding trimStart() before the split in getEssenceMediaType within the Fastify framework to address CVE-2026-33806.
• Deploy the Sigma rule “Detect Fastify Validation Bypass Attempt” to your SIEM to identify attempts to exploit this vulnerability by monitoring for requests with leading spaces in the Content-Type header.
• Upgrade Fastify to a version beyond 5.8.4 to mitigate CVE-2026-33806.
• Review all Fastify routes that use schema.body.content for potential vulnerabilities related to content-type validation.

]]>highadvisoryfastifyvalidation-bypasswebserver