GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12 advisories
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
High
CVE-2025-32442
was published
for
fastify
(npm)
Apr 18, 2025
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Moderate
CVE-2026-3635
was published
for
fastify
(npm)
Mar 25, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/static vulnerable to route guard bypass via encoded path separators
Moderate
CVE-2026-6414
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/static vulnerable to path traversal in directory listing
Moderate
CVE-2026-6410
was published
for
@fastify/static
(npm)
Apr 16, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
High
CVE-2026-33806
was published
for
fastify
(npm)
Apr 15, 2026
fast-uri vulnerable to path traversal via percent-encoded dot segments
High
CVE-2026-6321
was published
for
fast-uri
(npm)
May 8, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
ProTip!
Advisories are also available from the
GraphQL API