Monthly
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. A patch is available in version 4.12.4 and later.
The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. A patch is available in version 4.12.4 and later.
The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.