Security Advisories

Date	CVE ID	Advisory	Project	Title
2026-04-16	CVE-2026-33804	Advisory	@fastify/middie	@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
2026-04-16	CVE-2026-6270	Advisory	@fastify/middie	@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
2026-04-16	CVE-2026-6410	Advisory	@fastify/static	@fastify/static vulnerable to path traversal in directory listing
2026-04-16	CVE-2026-6414	Advisory	@fastify/static	@fastify/static vulnerable to route guard bypass via encoded path separators
2026-04-15	CVE-2026-33805	Advisory	@fastify/reply-from	@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
2026-04-15	CVE-2026-33805	Advisory	@fastify/http-proxy	@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
2026-04-15	CVE-2026-33807	Advisory	@fastify/express	@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
2026-04-15	CVE-2026-33808	Advisory	@fastify/express	@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
2026-04-14	CVE-2026-33806	Advisory	fastify	fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
2026-03-31	CVE-2026-4800	Advisory	lodash	Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names
2026-03-31	CVE-2026-2950	Advisory	lodash	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit
2026-03-26	CVE-2026-4926	Advisory	path-to-regexp	path-to-regexp vulnerable to Denial of Service via sequential optional groups
2026-03-26	CVE-2026-4923	Advisory	path-to-regexp	ReDoS possible with multiple wildcards
2026-03-26	CVE-2026-4867	Advisory	path-to-regexp	path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
2026-03-23	CVE-2026-3635	Advisory	fastify	Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
2026-03-12	CVE-2026-2581	Advisory	undici	Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS
2026-03-12	CVE-2026-1527	Advisory	undici	CRLF Injection in undici via upgrade option
2026-03-12	CVE-2026-1528	Advisory	undici	Malicious WebSocket 64-bit length overflows undici parser and crashes the client
2026-03-12	CVE-2026-2229	Advisory	undici	Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
2026-03-12	CVE-2026-1526	Advisory	undici	Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
2026-03-12	CVE-2026-1525	Advisory	undici	Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici
2026-03-05	CVE-2026-3419	Advisory	fastify	Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation
2026-03-04	CVE-2026-3520	Advisory	multer	Multer vulnerable to Denial of Service via uncontrolled recursion
2026-02-27	CVE-2026-2880	Advisory	@fastify/middie	@fastify/middie has an improper path normalization vulnerability
2026-02-27	CVE-2026-3304	Advisory	multer	Multer vulnerable to Denial of Service via incomplete cleanup
2026-02-27	CVE-2026-2359	Advisory	multer	multer vulnerable to Denial of Service via resource exhaustion
2026-01-21	CVE-2025-13465	Advisory	lodash	Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions
2025-11-24	CVE-2025-13466	Advisory	body-parser	body-parser vulnerable to denial of service when url encoding is used
2025-07-17	CVE-2025-7339	Advisory	on-headers	on-headers vulnerable to http response header manipulation
2025-07-17	CVE-2025-7338	Advisory	multer	Multer vulnerable to Denial of Service via unhandled exception from malformed request