Known Vulnerabilities for products from Fastify
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Fastify".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-42353 json | Not Provided | 2026-05-08 | 2026-05-08 | |
| CVE-2026-41690 json | Not Provided | 2026-05-08 | 2026-05-08 | |
| CVE-2026-41683 json | Not Provided | 2026-05-08 | 2026-05-08 | |
| CVE-2026-34076 json | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-33808 json | Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify rout... | Not Provided | 2026-04-15 | 2026-06-01 |
| CVE-2026-33807 json | @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to b... | Not Provided | 2026-04-15 | 2026-06-01 |
| CVE-2026-33806 json | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed ent... | Not Provided | 2026-04-15 | 2026-04-17 |
| CVE-2026-33805 json | @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header af... | Not Provided | 2026-04-15 | 2026-06-01 |
| CVE-2026-33804 json | Not Provided | 2026-04-16 | 2026-04-16 | |
| CVE-2026-22031 json | @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastif... | Not Provided | 2026-01-19 | 2026-05-14 |
| CVE-2026-8723 json | Not Provided | 2026-05-17 | 2026-05-18 | |
| CVE-2026-7768 json | @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or ev... | Not Provided | 2026-05-04 | 2026-05-29 |
| CVE-2026-6414 json | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2026-6410 json | @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The ... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2026-6270 json | @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. Wh... | Not Provided | 2026-04-16 | 2026-05-14 |
| CVE-2026-3635 json | Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a s... | Not Provided | 2026-03-23 | 2026-04-16 |
| CVE-2026-2880 json | A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped ... | Not Provided | 2026-02-27 | 2026-05-14 |
| CVE-2023-31999 json | All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests... | 8.8 - HIGH | 2023-07-04 | 2023-07-17 |
| CVE-2023-29020 json | @fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger... | 6.5 - MEDIUM | 2023-04-21 | 2023-05-03 |
| CVE-2023-29019 json | @fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passpo... | 8.1 - HIGH | 2023-04-21 | 2023-05-04 |
Known software with vulnerabilities from Fastify
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Fastify | Fastify | 0.1.0 |
| Application | Fastify | Fastify-csrf | 1.0.0 |
| Application | Fastify | Fastify-multipart | 0.1.0 |