Vendor
@fastify/express Authentication Bypass via URL Normalization Gaps
2 rules 1 TTP 1 CVEA vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.
@fastify/middie Middleware Bypass Vulnerability via Duplicate Slashes
2 rules 1 TTP 1 CVE`@fastify/middie` versions 9.3.1 and earlier are vulnerable to middleware bypass via URLs with duplicate leading slashes due to improper handling of the deprecated `ignoreDuplicateSlashes` option, potentially allowing unauthorized access to protected resources.
Fastify/Express Middleware Path Doubling Authentication Bypass
2 rules 1 TTPA path handling bug in `@fastify/express` v4.0.4 `onRegister` function causes middleware paths to be doubled when inherited by child plugins, resulting in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware.
Fastify Middlie Authentication Bypass Vulnerability (CVE-2026-6270)
2 rules 1 TTP 1 CVE 1 IOCFastify middlie versions 9.3.1 and earlier do not properly register inherited middleware, leading to authentication bypass in child plugin scopes, allowing unauthenticated access.