OsVault/npm/fastify
npm

fastify

35 known vulnerabilities · 0 critical · 8 high

CVE-2026-3635

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

Published Mar 25, 2026
CVE-2026-3419

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Published Mar 5, 2026
CVE-2018-3711HIGH

Denial of Service vulnerability with large JSON payloads in fastify

Published Jul 18, 2018
GHSA-247c-9743-5963

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Published Apr 15, 2026
CVE-2022-39288HIGH

fastify vulnerable to denial of service via malicious Content-Type

Published Oct 11, 2022
CVE-2022-41919MEDIUM

Fastify: Incorrect Content-Type parsing can lead to CSRF attack

Published Nov 21, 2022
CVE-2026-25223

Fastify's Content-Type header tab character allows body validation bypass

Published Feb 2, 2026
CVE-2026-25224

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Published Feb 2, 2026
CVE-2020-8192MEDIUM

Denial of service in fastify

Published Aug 5, 2020
CVE-2023-29019HIGH

Session fixation in fastify-passport

Published Apr 21, 2023
CVE-2023-29020MEDIUM

CSRF token fixation in fastify-passport

Published Apr 21, 2023
CVE-2023-31999HIGH

@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

Published Jul 5, 2023
GHSA-gwhp-pf74-vj37

Fastify's connection header abuse enables stripping of proxy-added headers

Published Apr 16, 2026
GHSA-72c6-fx6q-fr5w

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Published Apr 16, 2026
CVE-2025-69211

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Published Dec 30, 2025
CVE-2020-28482MEDIUM

Cross-site Request Forgery in fastify-csrf

Published Jan 20, 2021
CVE-2022-39386HIGH

fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Published Nov 7, 2022
GHSA-x428-ghpx-8j92

@fastify/static vulnerable to route guard bypass via encoded path separators

Published Apr 16, 2026
GHSA-6hw5-45gm-fj88

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Published Apr 16, 2026
CVE-2025-66415

fastify-reply-from affected by bypass of reply forwarding

Published Dec 2, 2025
GHSA-7q64-3rg2-h9pf

Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass

Published Feb 27, 2026
CVE-2026-22031

Fastify Middie Middleware Path Bypass

Published Jan 20, 2026
CVE-2021-23597HIGH

Uncaught Exception in fastify-multipart

Published Feb 11, 2022
CVE-2026-22037

@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)

Published Jan 20, 2026
CVE-2026-2880

@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware

Published Feb 28, 2026
GHSA-hrwm-hgmj-7p9c

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Published Apr 16, 2026
CVE-2020-8136HIGH

Uncontrolled Resource Consumption in fastify-multipart

Published May 6, 2021
GHSA-pr96-94w5-mx2h

@fastify/static vulnerable to path traversal in directory listing

Published Apr 16, 2026
CVE-2026-2293

Nest has a Fastify URL Encoding Middleware Bypass

Published Mar 2, 2026
GHSA-v9ww-2j6r-98q6

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Published Apr 16, 2026
CVE-2021-29624MEDIUM

Lack of protection against cookie tossing attacks in fastify-csrf

Published May 17, 2021
CVE-2026-33011

Nest Fastify HEAD Request Middleware Bypass

Published Mar 17, 2026
CVE-2022-31142HIGH

fastify-bearer-auth vulnerable to Timing Attack Vector

Published Jul 15, 2022
CVE-2021-22963MEDIUM

URL Redirection to Untrusted Site ('Open Redirect') in fastify-static

Published Oct 5, 2021
MAL-2024-11195

Malicious code in fastify-tfb (npm)

Published Dec 4, 2024
Check your entire dependency tree at onceRun dependency scan →