Home/Product/fastify
Product

fastify

28 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-33804
< 9.3.2
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes
7.4HIGH
 CVE-2026-6410
>= 8.0.0 and < 9.1.1
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirLi
5.3MEDIUM
 CVE-2026-6270
< 9.3.2
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a
9.1CRITICAL
 CVE-2026-6414
>= 8.0.0 and < 9.1.1
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fast
5.9MEDIUM
 CVE-2026-33806
>= 5.3.2 and < 5.8.5
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely
7.5HIGH
 CVE-2026-3635
< 5.8.3
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet
6.1MEDIUM
 CVE-2026-3419
>= 5.7.2 and < 5.8.1
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation
5.3MEDIUM
 CVE-2026-2880
< 9.2.0
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middl
9.1CRITICAL
 CVE-2026-25224
< 5.7.3
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastif
3.7LOW
 CVE-2026-25223
< 5.7.2
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in
7.5HIGH
 CVE-2026-22031
< 9.1.0
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/mid
8.4HIGH
 CVE-2025-66415
<= 12.4.0
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malic
5.4MEDIUM
 CVE-2025-32442
>= 5.0.0 and < 5.3.2
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications
7.5HIGH
 CVE-2023-51701
< 9.6.0
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@
5.3MEDIUM
 CVE-2023-29020
< 1.1.0
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) pro
6.5MEDIUM
 CVE-2023-29019
< 1.1.0
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport i
8.1HIGH
 CVE-2023-25576
< 6.0.1
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart
7.5HIGH
 CVE-2022-41919
>= 3.0.0 and < 3.29.4
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to byp
4.2MEDIUM
 CVE-2022-39288
< 4.8.1
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via
7.5HIGH
 CVE-2022-31142
>= 5.0.1 and < 7.0.2
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and
7.5HIGH
 CVE-2021-23597
< 5.3.1
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash th
7.5HIGH
 CVE-2021-22964
>= 4.2.4 and < 4.4.1
A redirect vulnerability in the fastify-static module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla F
8.8HIGH
 CVE-2021-22963
< 4.2.4
A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websi
6.1MEDIUM
 CVE-2021-29624
< 3.1.0
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf
6.5MEDIUM
 CVE-2020-28482
< 3.0.0
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly
5.9MEDIUM
 CVE-2020-8192
all versions
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhau
6.5MEDIUM
 CVE-2020-8136
< 1.0.5
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart
7.5HIGH
 CVE-2018-3711
< 0.38.0
Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application
7.5HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin