OpenJS Foundation CVE Numbering Authority

OpenJS Foundation CVE Numbering Authority - Security Advisories The OpenJS Foundation's CVE Numbering Authority (CNA) https://cna.openjsf.org/security-advisories.html en Sat, 25 Apr 2026 11:25:24 +0000 CVE-2026-33804: @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 CVE-2026-33804::@fastify/middie Thu, 16 Apr 2026 00:00:00 +0000 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option in @fastify/middie. CVE: CVE-2026-33804. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 CVE-2026-6270: @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w CVE-2026-6270::@fastify/middie Thu, 16 Apr 2026 00:00:00 +0000 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes in @fastify/middie. CVE: CVE-2026-6270. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w CVE-2026-6410: @fastify/static vulnerable to path traversal in directory listing https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h CVE-2026-6410::@fastify/static Thu, 16 Apr 2026 00:00:00 +0000 @fastify/static vulnerable to path traversal in directory listing in @fastify/static. CVE: CVE-2026-6410. Advisory: https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h CVE-2026-6414: @fastify/static vulnerable to route guard bypass via encoded path separators https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92 CVE-2026-6414::@fastify/static Thu, 16 Apr 2026 00:00:00 +0000 @fastify/static vulnerable to route guard bypass via encoded path separators in @fastify/static. CVE: CVE-2026-6414. Advisory: https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92 CVE-2026-33805: @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805::@fastify/reply-from Wed, 15 Apr 2026 00:00:00 +0000 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers in @fastify/reply-from. CVE: CVE-2026-33805. Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805: @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805::@fastify/http-proxy Wed, 15 Apr 2026 00:00:00 +0000 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers in @fastify/http-proxy. CVE: CVE-2026-33805. Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33807: @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c CVE-2026-33807::@fastify/express Wed, 15 Apr 2026 00:00:00 +0000 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes in @fastify/express. CVE: CVE-2026-33807. Advisory: https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c CVE-2026-33808: @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 CVE-2026-33808::@fastify/express Wed, 15 Apr 2026 00:00:00 +0000 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) in @fastify/express. CVE: CVE-2026-33808. Advisory: https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 CVE-2026-33806: fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963 CVE-2026-33806::fastify Tue, 14 Apr 2026 00:00:00 +0000 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header in fastify. CVE: CVE-2026-33806. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963 CVE-2026-4800: Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc CVE-2026-4800::lodash Tue, 31 Mar 2026 00:00:00 +0000 Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names in lodash. CVE: CVE-2026-4800. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc CVE-2026-2950: lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh CVE-2026-2950::lodash Tue, 31 Mar 2026 00:00:00 +0000 lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit in lodash. CVE: CVE-2026-2950. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh CVE-2026-4926: path-to-regexp vulnerable to Denial of Service via sequential optional groups https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f CVE-2026-4926::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 path-to-regexp vulnerable to Denial of Service via sequential optional groups in path-to-regexp. CVE: CVE-2026-4926. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f CVE-2026-4923: ReDoS possible with multiple wildcards https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7 CVE-2026-4923::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 ReDoS possible with multiple wildcards in path-to-regexp. CVE: CVE-2026-4923. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7 CVE-2026-4867: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 CVE-2026-4867::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters in path-to-regexp. CVE: CVE-2026-4867. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 CVE-2026-3635: Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf CVE-2026-3635::fastify Mon, 23 Mar 2026 00:00:00 +0000 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function in fastify. CVE: CVE-2026-3635. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf CVE-2026-2581: Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h CVE-2026-2581::undici Thu, 12 Mar 2026 00:00:00 +0000 Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS in undici. CVE: CVE-2026-2581. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h CVE-2026-1527: CRLF Injection in undici via upgrade option https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq CVE-2026-1527::undici Thu, 12 Mar 2026 00:00:00 +0000 CRLF Injection in undici via upgrade option in undici. CVE: CVE-2026-1527. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq CVE-2026-1528: Malicious WebSocket 64-bit length overflows undici parser and crashes the client https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj CVE-2026-1528::undici Thu, 12 Mar 2026 00:00:00 +0000 Malicious WebSocket 64-bit length overflows undici parser and crashes the client in undici. CVE: CVE-2026-1528. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj CVE-2026-2229: Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 CVE-2026-2229::undici Thu, 12 Mar 2026 00:00:00 +0000 Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation in undici. CVE: CVE-2026-2229. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 CVE-2026-1526: Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q CVE-2026-1526::undici Thu, 12 Mar 2026 00:00:00 +0000 Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression in undici. CVE: CVE-2026-1526. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q CVE-2026-1525: Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm CVE-2026-1525::undici Thu, 12 Mar 2026 00:00:00 +0000 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici in undici. CVE: CVE-2026-1525. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm CVE-2026-3419: Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9 CVE-2026-3419::fastify Thu, 05 Mar 2026 00:00:00 +0000 Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation in fastify. CVE: CVE-2026-3419. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9 CVE-2026-3520: Multer vulnerable to Denial of Service via uncontrolled recursion https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 CVE-2026-3520::multer Wed, 04 Mar 2026 00:00:00 +0000 Multer vulnerable to Denial of Service via uncontrolled recursion in multer. CVE: CVE-2026-3520. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 CVE-2026-2880: @fastify/middie has an improper path normalization vulnerability https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw CVE-2026-2880::@fastify/middie Fri, 27 Feb 2026 00:00:00 +0000 @fastify/middie has an improper path normalization vulnerability in @fastify/middie. CVE: CVE-2026-2880. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw CVE-2026-3304: Multer vulnerable to Denial of Service via incomplete cleanup https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p CVE-2026-3304::multer Fri, 27 Feb 2026 00:00:00 +0000 Multer vulnerable to Denial of Service via incomplete cleanup in multer. CVE: CVE-2026-3304. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p CVE-2026-2359: multer vulnerable to Denial of Service via resource exhaustion https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc CVE-2026-2359::multer Fri, 27 Feb 2026 00:00:00 +0000 multer vulnerable to Denial of Service via resource exhaustion in multer. CVE: CVE-2026-2359. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc CVE-2025-13465: Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg CVE-2025-13465::lodash Wed, 21 Jan 2026 00:00:00 +0000 Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions in lodash. CVE: CVE-2025-13465. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg CVE-2025-13466: body-parser vulnerable to denial of service when url encoding is used https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 CVE-2025-13466::body-parser Mon, 24 Nov 2025 00:00:00 +0000 body-parser vulnerable to denial of service when url encoding is used in body-parser. CVE: CVE-2025-13466. Advisory: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 CVE-2025-7339: on-headers vulnerable to http response header manipulation https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q CVE-2025-7339::on-headers Thu, 17 Jul 2025 00:00:00 +0000 on-headers vulnerable to http response header manipulation in on-headers. CVE: CVE-2025-7339. Advisory: https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q CVE-2025-7338: Multer vulnerable to Denial of Service via unhandled exception from malformed request https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p CVE-2025-7338::multer Thu, 17 Jul 2025 00:00:00 +0000 Multer vulnerable to Denial of Service via unhandled exception from malformed request in multer. CVE: CVE-2025-7338. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p