Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

fastify — Vulnerabilities & Security Advisories 28

Browse all 28 CVE security advisories affecting fastify. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Fastify is a high-performance web framework for Node.js, primarily designed to facilitate the rapid development of backend APIs and microservices. Its architecture emphasizes low overhead and high throughput, making it a popular choice for scalable server-side applications. Security audits reveal a history of twenty-eight recorded Common Vulnerabilities and Exposures (CVEs), predominantly involving prototype pollution, denial-of-service conditions, and improper input validation. These flaws often stem from complex middleware interactions or inadequate sanitization of user-supplied data, potentially leading to remote code execution or privilege escalation in misconfigured environments. While the framework itself enforces strict schema validation by default, vulnerabilities frequently arise from developer oversight in plugin integration or dependency management. Major incidents have highlighted risks related to unhandled exceptions and insecure default configurations, necessitating rigorous code reviews and timely patching to maintain application integrity in production deployments.

Top products by fastify: fastify fastify-reply-from fastify-passport fastify-multipart @fastify/express fastify-http-proxy fastify-csrf github-action-merge-dependabot fastify-bearer-auth fastify-websocket csrf-protection fastify-swagger-ui fastify-secure-session session middie fastify-express
CVE IDTitleCVSSSeverityPublished
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes — @fastify/expressCWE-436 9.1 Critical2026-04-15
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) — @fastify/expressCWE-436 9.1 -2026-04-15
CVE-2026-33806 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header — fastifyCWE-1287 7.5 High2026-04-15
CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function — fastifyCWE-348 6.1 Medium2026-03-23
CVE-2026-3419 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation — fastifyCWE-185 5.3 Medium2026-03-06
CVE-2026-25223 Fastify's Content-Type header tab character allows body validation bypass — fastifyCWE-436 7.5 High2026-02-03
CVE-2026-25224 Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream — fastifyCWE-770 3.7 Low2026-02-03
CVE-2026-22037 @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) — fastify-expressCWE-177 8.4 High2026-01-19
CVE-2026-22031 Fastify Middie Middleware Path Bypass — middieCWE-177 8.4 High2026-01-19
CVE-2025-66415 fastify-reply-from bypass of reply forwarding — fastify-reply-fromCWE-441 6.5AIMediumAI2025-12-01
CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass — fastifyCWE-1287 7.5 High2025-04-18
CVE-2025-24033 @fastify/multipart vulnerable to unlimited consumption of resources — fastify-multipartCWE-770 7.5 High2025-01-23
CVE-2024-35220 @fastify/session reuses destroyed session cookie — sessionCWE-613 7.4 High2024-05-21
CVE-2024-31999 @fastify/secure-session: Reuse of destroyed secure session cookie — fastify-secure-sessionCWE-613 7.4 High2024-04-10
CVE-2024-22207 Default swagger-ui configuration exposes all files in the module — fastify-swagger-uiCWE-1188 5.3 Medium2024-01-15
CVE-2023-51701 @fastify-reply-from JSON Content-Type parsing confusion — fastify-reply-fromCWE-444 5.3 Medium2024-01-08
CVE-2023-29020 Cross site request forgery token fixation in fastify-passport — fastify-passportCWE-384 6.5 Medium2023-04-21
CVE-2023-29019 Session fixation in fastify-passport — fastify-passportCWE-384 8.1 High2023-04-21
CVE-2023-27495 Bypass of CSRF protection in the presence of predictable userInfo in @fastify/csrf-protection — csrf-protectionCWE-352 5.3 Medium2023-04-20
CVE-2023-25576 @fastify/multipart vulnerable to DoS due to unlimited number of parts — fastify-multipartCWE-770 7.5 High2023-02-14
CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type — fastifyCWE-352 4.2 Medium2022-11-22
CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet — fastify-websocketCWE-248 7.5 High2022-11-08
CVE-2022-39288 Denial of service in Fastify via Content-Type header — fastifyCWE-754 7.5 High2022-10-10
CVE-2022-31142 Potential Timing Attack Vector in @fastify/bearer-auth — fastify-bearer-authCWE-208 7.5 High2022-07-14
CVE-2022-29220 No verification of commits origin in github-action-merge-dependabot — github-action-merge-dependabotCWE-283 6.5 Medium2022-05-31
CVE-2021-29624 Lack of protection against cookie tossing attacks in fastify-csrf — fastify-csrfCWE-565 6.5 Medium2021-05-19
CVE-2021-21321 Prefix escape — fastify-reply-fromCWE-20 10.0 Critical2021-03-02
CVE-2021-21322 Prefix escape — fastify-http-proxyCWE-20 10.0 Critical2021-03-02

This page lists every published CVE security advisory associated with fastify. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.