Skip to content
Threat Feed

Vendor

Fastify

4 briefs RSS
critical advisory

@fastify/express Authentication Bypass via URL Normalization Gaps

A vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.

@fastify/express fastify express authentication-bypass url-normalization cve-2026-33808
2r 1t 1c
high advisory

@fastify/middie Middleware Bypass Vulnerability via Duplicate Slashes

`@fastify/middie` versions 9.3.1 and earlier are vulnerable to middleware bypass via URLs with duplicate leading slashes due to improper handling of the deprecated `ignoreDuplicateSlashes` option, potentially allowing unauthorized access to protected resources.

Fastify +1 middie middleware-bypass vulnerability defense-evasion
2r 1t 1c
critical advisory

Fastify/Express Middleware Path Doubling Authentication Bypass

A path handling bug in `@fastify/express` v4.0.4 `onRegister` function causes middleware paths to be doubled when inherited by child plugins, resulting in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware.

@fastify/express fastify express authentication-bypass middleware path-traversal
2r 1t
critical advisory

Fastify Middlie Authentication Bypass Vulnerability (CVE-2026-6270)

Fastify middlie versions 9.3.1 and earlier do not properly register inherited middleware, leading to authentication bypass in child plugin scopes, allowing unauthenticated access.

middie fastify middlie authentication bypass cve-2026-6270
2r 1t 1c 1i