GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
15 advisories
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
High
CVE-2026-2880
was published
for
@fastify/middie
(npm)
Feb 28, 2026
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
Low
CVE-2026-25224
was published
for
fastify
(npm)
Feb 2, 2026
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
High
CVE-2026-22037
was published
for
@fastify/express
(npm)
Jan 20, 2026
Fastify Middie Middleware Path Bypass
High
CVE-2026-22031
was published
for
@fastify/middie
(npm)
Jan 20, 2026
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Moderate
CVE-2026-22036
was published
for
undici
(npm)
Jan 14, 2026
Withdrawn Advisory: fast-redact vulnerable to prototype pollution
Low
CVE-2025-57319
was published
for
fast-redact
(npm)
Sep 24, 2025
•
withdrawn
undici Denial of Service attack via bad certificate data
Low
CVE-2025-47279
was published
for
undici
(npm)
May 15, 2025
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
High
CVE-2025-32442
was published
for
fastify
(npm)
Apr 18, 2025
Use of Insufficiently Random Values in undici
Moderate
CVE-2025-22150
was published
for
undici
(npm)
Jan 21, 2025
find-my-way has a ReDoS vulnerability in multiparametric routes
High
CVE-2024-45813
was published
for
find-my-way
(npm)
Sep 18, 2024
@fastify/secure-session: Reuse of destroyed secure session cookie
High
CVE-2024-31999
was published
for
@fastify/secure-session
(npm)
Apr 10, 2024
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Low
CVE-2024-24758
was published
for
undici
(npm)
Feb 16, 2024
fetch(url) leads to a memory leak in undici
Moderate
CVE-2024-24750
was published
for
undici
(npm)
Feb 16, 2024
Undici's cookie header not cleared on cross-origin redirect in fetch
Low
CVE-2023-45143
was published
for
undici
(npm)
Oct 16, 2023
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
High
CVE-2023-31999
was published
for
@fastify/oauth2
(npm)
Jul 5, 2023
ProTip!
Advisories are also available from the
GraphQL API