{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/fastify/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-22037"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fastify/express"],"_cs_severities":["critical"],"_cs_tags":["fastify","express","authentication-bypass","url-normalization","cve-2026-33808"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eA critical vulnerability exists in \u003ccode\u003e@fastify/express\u003c/code\u003e version 4.0.4 related to URL normalization. When Fastify router normalization options (\u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter\u003c/code\u003e) are enabled, the \u003ccode\u003e@fastify/express\u003c/code\u003e module fails to properly normalize URLs before passing them to Express middleware. This discrepancy allows attackers to bypass authentication and authorization checks implemented in Express middleware. The vulnerability stems from the \u003ccode\u003eenhanceRequest\u003c/code\u003e function in \u003ccode\u003eindex.js\u003c/code\u003e, which doesn't normalize duplicate slashes or strip semicolon-delimited parameters, leading to a mismatch between Fastify's route matching and Express's middleware handling. This issue is distinct from CVE-2026-22037, which addressed percent-encoding bypass. Successful exploitation grants unauthenticated access to protected resources, impacting applications that rely on Express middleware for security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected route, such as \u003ccode\u003e/admin/dashboard\u003c/code\u003e, that is secured by Express middleware within a Fastify application using \u003ccode\u003e@fastify/express\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing either duplicate slashes (e.g., \u003ccode\u003e//admin/dashboard\u003c/code\u003e) or semicolon delimiters (e.g., \u003ccode\u003e/admin;bypass\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the target server using the crafted malicious URL.\u003c/li\u003e\n\u003cli\u003eFastify's router, configured with \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e, normalizes the URL for route matching.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@fastify/express\u003c/code\u003e's \u003ccode\u003eenhanceRequest\u003c/code\u003e function passes the original, un-normalized URL to the Express middleware.\u003c/li\u003e\n\u003cli\u003eThe Express middleware, expecting the normalized URL (e.g., \u003ccode\u003e/admin/dashboard\u003c/code\u003e), fails to match the malicious URL (e.g., \u003ccode\u003e//admin/dashboard\u003c/code\u003e or \u003ccode\u003e/admin;bypass\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authentication/authorization checks in the Express middleware are bypassed.\u003c/li\u003e\n\u003cli\u003eThe Fastify route handler executes, granting the attacker unauthorized access to the protected resource, potentially leading to data breaches or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for complete authentication bypass in applications that utilize Express middleware for path-based access control and are built on \u003ccode\u003e@fastify/express\u003c/code\u003e. Successful exploitation leads to unauthorized access to protected resources like admin panels, APIs, and sensitive user data. The duplicate slash vector impacts applications with \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e, while the semicolon vector affects those with \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e. This bypass affects all Express middleware using prefix path matching, including popular authentication, authorization, and rate-limiting packages. The root cause lies in the unexpected behavior of \u003ccode\u003e@fastify/express\u003c/code\u003e and its interaction with Fastify's router options, potentially affecting a large number of applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fastify Express Double Slash Authentication Bypass\u003c/code\u003e to detect attempts to exploit the duplicate slash vulnerability via web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fastify Express Semicolon Authentication Bypass\u003c/code\u003e to detect attempts to exploit the semicolon delimiter vulnerability via web server logs.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@fastify/express\u003c/code\u003e when available. This should include URL normalization before passing to Express middleware as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eReview Fastify configurations to understand if \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e are actively used and assess the impact of disabling them until a patch is applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/","summary":"A vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.","title":"@fastify/express Authentication Bypass via URL Normalization Gaps","url":"https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-2880"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fastify","@fastify/middie"],"_cs_severities":["high"],"_cs_tags":["fastify","middie","middleware-bypass","vulnerability","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eA vulnerability exists in the \u003ccode\u003e@fastify/middie\u003c/code\u003e package, a middleware engine for the Fastify web framework. Specifically, versions 9.3.1 and earlier fail to properly handle the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option. This option, intended to normalize duplicate slashes in URLs, is only read from the \u003ccode\u003erouterOptions\u003c/code\u003e configuration, leading to a discrepancy where Fastify's router normalizes slashes but middie does not.  The vulnerability allows attackers to bypass middleware protections by crafting URLs with duplicate leading slashes (e.g., \u003ccode\u003e//admin/secret\u003c/code\u003e). This only impacts applications still using the deprecated top-level configuration style (\u003ccode\u003efastify({ ignoreDuplicateSlashes: true })\u003c/code\u003e). This issue is distinct from CVE-2026-2880 (GHSA-8p85-9qpw-fwgw) and was addressed in version 9.2.0. Defenders should prioritize patching or migrating to the supported \u003ccode\u003erouterOptions\u003c/code\u003e configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Fastify application using \u003ccode\u003e@fastify/middie\u003c/code\u003e version 9.3.1 or earlier and employing the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request with a URL containing duplicate leading slashes (e.g., \u003ccode\u003e//admin/secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFastify's router normalizes the URL, removing the duplicate slashes before routing.\u003c/li\u003e\n\u003cli\u003eHowever, \u003ccode\u003e@fastify/middie\u003c/code\u003e does not properly handle the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option from the top-level configuration.\u003c/li\u003e\n\u003cli\u003eDue to the normalization gap, the request bypasses middleware intended to protect the \u003ccode\u003e/admin/secret\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe request reaches the vulnerable route, potentially exposing sensitive information or functionality.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without proper authentication or authorization checks due to the bypassed middleware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to protected resources, leading to data leakage or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive resources within affected Fastify applications. The number of victims depends on the prevalence of the vulnerable configuration. Sectors particularly at risk include organizations using Fastify for web application development without adhering to security best practices.  If the attack succeeds, attackers could gain access to administrative interfaces, confidential data, or other protected resources, potentially leading to data breaches, service disruption, or other adverse outcomes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@fastify/middie\u003c/code\u003e version 9.3.2 or later to remediate the vulnerability (reference: Affected Packages).\u003c/li\u003e\n\u003cli\u003eMigrate from the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e configuration to \u003ccode\u003erouterOptions: { ignoreDuplicateSlashes: true }\u003c/code\u003e (reference: Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious URL Access via Duplicate Slashes\u0026quot; to identify potential exploitation attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with URLs containing duplicate leading slashes targeting sensitive endpoints (reference: webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/","summary":"`@fastify/middie` versions 9.3.1 and earlier are vulnerable to middleware bypass via URLs with duplicate leading slashes due to improper handling of the deprecated `ignoreDuplicateSlashes` option, potentially allowing unauthorized access to protected resources.","title":"@fastify/middie Middleware Bypass Vulnerability via Duplicate Slashes","url":"https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fastify/express"],"_cs_severities":["critical"],"_cs_tags":["fastify","express","authentication-bypass","middleware","path-traversal"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eA path handling bug in the \u003ccode\u003e@fastify/express\u003c/code\u003e package allows attackers to bypass authentication in Fastify applications using Express middleware. The vulnerability exists in version 4.0.4 of \u003ccode\u003e@fastify/express\u003c/code\u003e. The \u003ccode\u003eonRegister\u003c/code\u003e function incorrectly handles middleware paths when child plugins are registered with a prefix, causing the middleware paths to be doubled. This leads to a situation where security controls, such as authentication checks, are silently skipped for routes defined within those child plugin scopes. This vulnerability impacts applications using path-scoped middleware and child plugins with matching prefixes, and it affects default Fastify configurations. The issue was reported on April 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe application registers Express middleware with a path scope (e.g., \u003ccode\u003e/admin\u003c/code\u003e) using \u003ccode\u003eapp.use('/admin', authFn)\u003c/code\u003e. The path is stored as \u003ccode\u003e/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA child plugin is registered with a prefix that overlaps the middleware path (e.g., \u003ccode\u003e{ prefix: '/admin' }\u003c/code\u003e). This triggers the \u003ccode\u003eonRegister\u003c/code\u003e hook.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eonRegister\u003c/code\u003e function copies the parent middleware and attempts to re-register it using \u003ccode\u003einstance.use('/admin', authFn)\u003c/code\u003e on the child plugin instance.\u003c/li\u003e\n\u003cli\u003eThe child's \u003ccode\u003euse()\u003c/code\u003e function prepends the plugin prefix to the middleware path, resulting in a doubled path (e.g., \u003ccode\u003e/admin/admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eRoutes are defined within the child plugin scope using the child's Express instance.\u003c/li\u003e\n\u003cli\u003eWhen a request is made to a route within the child scope (e.g., \u003ccode\u003e/admin/secret\u003c/code\u003e), the middleware registered with the doubled path (\u003ccode\u003e/admin/admin\u003c/code\u003e) is not triggered.\u003c/li\u003e\n\u003cli\u003eAuthentication and authorization checks are bypassed because the middleware is not executed for requests to the intended routes.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources and data within the child plugin scope.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for a complete bypass of Express middleware security controls for routes defined within child plugin scopes. This includes authentication, authorization, rate limiting, and other security measures.  The silent nature of the bypass, with no errors or warnings, makes it particularly dangerous.  Successful exploitation could lead to unauthorized access to sensitive data, privilege escalation, and other security breaches. Any child plugin scope that shares a prefix with middleware is affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@fastify/express\u003c/code\u003e when available.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, avoid using child plugins with prefixes that overlap with middleware path scopes until a patch is released.\u003c/li\u003e\n\u003cli\u003eReview existing \u003ccode\u003e@fastify/express\u003c/code\u003e configurations for overlapping middleware paths and child plugin prefixes, and refactor the application to avoid this pattern.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fastify Express Middleware Bypass\u003c/code\u003e to identify potential exploitation attempts by monitoring for requests to routes that should be protected by middleware but are not.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional security measures, such as request validation and input sanitization, to mitigate the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-fastify-express-auth-bypass/","summary":"A path handling bug in `@fastify/express` v4.0.4 `onRegister` function causes middleware paths to be doubled when inherited by child plugins, resulting in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware.","title":"Fastify/Express Middleware Path Doubling Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-fastify-express-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-6270"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["middie"],"_cs_severities":["critical"],"_cs_tags":["fastify","middlie","authentication bypass","cve-2026-6270"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eFastify is a fast and low overhead web framework for Node.js. @fastify/middie is a middleware engine for Fastify. A critical vulnerability, CVE-2026-6270, exists in @fastify/middie versions 9.3.1 and earlier. This flaw stems from the failure to register inherited middleware directly on child plugin engine instances. Specifically, when authentication middleware is established in a parent scope of a Fastify application, any subsequent child plugins utilizing @fastify/middie will fail to inherit this middleware. Consequently, routes defined within these child plugin scopes become susceptible to unauthenticated requests, effectively bypassing intended authentication and authorization mechanisms. The recommended remediation is to upgrade to @fastify/middie version 9.3.2, which addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fastify application using @fastify/middie versions 9.3.1 or earlier.\u003c/li\u003e\n\u003cli\u003eThe application has authentication middleware registered in a parent scope to protect certain routes.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers a child plugin registered with @fastify/middie, which is intended to inherit the parent's authentication middleware.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the child plugin does not properly inherit the authentication middleware.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a route within the vulnerable child plugin.\u003c/li\u003e\n\u003cli\u003eThe request bypasses the authentication checks that were intended to protect the route.\u003c/li\u003e\n\u003cli\u003eThe server processes the unauthenticated request and potentially exposes sensitive data or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully accesses protected resources without proper authorization, potentially leading to data breaches or unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6270 allows attackers to bypass authentication mechanisms in Fastify applications using vulnerable versions of @fastify/middie. This can lead to unauthorized access to sensitive data, modification of application settings, or execution of privileged actions. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity level. Organizations using affected versions of @fastify/middie are at risk of data breaches, compliance violations, and reputational damage if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to @fastify/middie version 9.3.2 to remediate CVE-2026-6270 (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to identify potential exploitation attempts targeting vulnerable Fastify applications (reference: rule \u0026quot;Detect Unauthenticated Access to Fastify Child Routes\u0026quot;).\u003c/li\u003e\n\u003cli\u003eReview Fastify application configurations to identify instances where authentication middleware is intended to be inherited by child plugins using @fastify/middie (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-fastify-middlie-bypass/","summary":"Fastify middlie versions 9.3.1 and earlier do not properly register inherited middleware, leading to authentication bypass in child plugin scopes, allowing unauthenticated access.","title":"Fastify Middlie Authentication Bypass Vulnerability (CVE-2026-6270)","url":"https://feed.craftedsignal.io/briefs/2024-01-fastify-middlie-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Fastify","version":"https://jsonfeed.org/version/1.1"}