Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/fastify@2.8.0

Type npm

Namespace

Name fastify

Version 2.8.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.8.5

Latest_non_vulnerable_version 5.8.5

Affected_by_vulnerabilities

url VCID-6ht9-gg8u-9qax

vulnerability_id VCID-6ht9-gg8u-9qax

summary Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25224

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05698
published_at	2026-06-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.0568
published_at	2026-06-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05706
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25224

reference_url

https://github.com/fastify/fastify

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436557
reference_id	2436557
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436557

reference_url

https://hackerone.com/reports/3524779

reference_id

3524779

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/

url

https://hackerone.com/reports/3524779

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25224

reference_id

CVE-2026-25224

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25224

reference_url

https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37

reference_id

eb11156396f6a5fedaceed0140aed2b7f026be37

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/

url

https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37

reference_url

https://github.com/advisories/GHSA-mrq3-vjjr-p77c

reference_id

GHSA-mrq3-vjjr-p77c

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mrq3-vjjr-p77c

reference_url

https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c

reference_id

GHSA-mrq3-vjjr-p77c

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/

url

https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c

fixed_packages

url pkg:npm/fastify@5.7.3

purl pkg:npm/fastify@5.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-64tj-czqk-gyf1

vulnerability	VCID-g4ar-bpke-2qc2

vulnerability	VCID-mjfs-h1jx-2yar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.3

aliases CVE-2026-25224, GHSA-mrq3-vjjr-p77c

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ht9-gg8u-9qax

url VCID-76v3-f591-2qdt

vulnerability_id VCID-76v3-f591-2qdt

summary github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-29220

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24077
published_at	2026-06-11T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24283
published_at	2026-06-13T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24273
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-29220

reference_url

https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7

reference_id

309f39539c5d918d8a47075587aa8720a9c127f7

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/

url

https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7

reference_url

https://hackerone.com/bugs?report_id=1564530

reference_id

bugs?report_id=1564530

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/

url

https://hackerone.com/bugs?report_id=1564530

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-29220
reference_id	CVE-2022-29220
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-29220

reference_url

https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w

reference_id

GHSA-v5vr-h3xq-8v6w

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/

url

https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w

fixed_packages

url pkg:npm/fastify@3.2.0

purl pkg:npm/fastify@3.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6ht9-gg8u-9qax

vulnerability	VCID-8p2p-977a-qqb6

vulnerability	VCID-f1g6-gvqq-6kbf

vulnerability	VCID-g4ar-bpke-2qc2

vulnerability	VCID-gmrs-ecv5-6kgm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@3.2.0

aliases CVE-2022-29220, GHSA-v5vr-h3xq-8v6w

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-76v3-f591-2qdt

url VCID-8p2p-977a-qqb6

vulnerability_id VCID-8p2p-977a-qqb6

summary Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25223

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06285
published_at	2026-06-13T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06277
published_at	2026-06-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06297
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25223

reference_url

https://github.com/fastify/fastify

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436560
reference_id	2436560
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436560

reference_url

https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821

reference_id

32d7b6add39ddf082d92579a58bea7018c5ac821

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821

reference_url

https://hackerone.com/reports/3464114

reference_id

3464114

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://hackerone.com/reports/3464114

reference_url

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125

reference_id

content-type-parser.js#L125

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25223

reference_id

CVE-2026-25223

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25223

reference_url

https://github.com/advisories/GHSA-jx2c-rxcm-jvmq

reference_id

GHSA-jx2c-rxcm-jvmq

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jx2c-rxcm-jvmq

reference_url

https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq

reference_id

GHSA-jx2c-rxcm-jvmq

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

reference_url	https://access.redhat.com/errata/RHSA-2026:5807
reference_id	RHSA-2026:5807
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5807

reference_url	https://access.redhat.com/errata/RHSA-2026:6192
reference_id	RHSA-2026:6192
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6192

reference_url

https://fastify.dev/docs/latest/Reference/Validation-and-Serialization

reference_id

Validation-and-Serialization

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://fastify.dev/docs/latest/Reference/Validation-and-Serialization

reference_url

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

reference_id

validation.js#L272

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/

url

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

fixed_packages

url pkg:npm/fastify@5.7.2

purl pkg:npm/fastify@5.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-64tj-czqk-gyf1

vulnerability	VCID-6ht9-gg8u-9qax

vulnerability	VCID-g4ar-bpke-2qc2

vulnerability	VCID-mjfs-h1jx-2yar

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.2

aliases CVE-2026-25223, GHSA-jx2c-rxcm-jvmq

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8p2p-977a-qqb6

url VCID-f1g6-gvqq-6kbf

vulnerability_id VCID-f1g6-gvqq-6kbf

summary fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-39288

reference_id

reference_type

scores

value	0.04685
scoring_system	epss
scoring_elements	0.8958
published_at	2026-06-11T12:55:00Z

value	0.04685
scoring_system	epss
scoring_elements	0.89621
published_at	2026-06-13T12:55:00Z

value	0.04685
scoring_system	epss
scoring_elements	0.89614
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-39288

reference_url

https://github.com/fastify/fastify

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify

reference_url

https://hackerone.com/bugs?report_id=1715536&subject=fastify

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/bugs?report_id=1715536&subject=fastify

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-39288

reference_id

CVE-2022-39288

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-39288

reference_url

https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3

reference_id

fbb07e8dfad74c69cd4cd2211aedab87194618e3

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/

url

https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3

reference_url

https://github.com/advisories/GHSA-455w-c45v-86rg

reference_id

GHSA-455w-c45v-86rg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-455w-c45v-86rg

reference_url

https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg

reference_id

GHSA-455w-c45v-86rg

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/

url

https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg

reference_url

https://github.com/fastify/fastify/security/policy

reference_id

policy

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/

url

https://github.com/fastify/fastify/security/policy

fixed_packages

url pkg:npm/fastify@4.8.1

purl pkg:npm/fastify@4.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6ht9-gg8u-9qax

vulnerability	VCID-8p2p-977a-qqb6

vulnerability	VCID-g4ar-bpke-2qc2

vulnerability	VCID-gmrs-ecv5-6kgm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.8.1

aliases CVE-2022-39288, GHSA-455w-c45v-86rg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1g6-gvqq-6kbf

url VCID-g4ar-bpke-2qc2

vulnerability_id VCID-g4ar-bpke-2qc2

summary

Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions
fastify <= 5.8.2

Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-3635

reference_id

reference_type

scores

value	0.00012
scoring_system	epss
scoring_elements	0.01849
published_at	2026-06-11T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01852
published_at	2026-06-13T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01851
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-3635

reference_url

https://github.com/fastify/fastify

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify

reference_url

https://github.com/fastify/fastify/releases/tag/v5.8.3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify/releases/tag/v5.8.3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-3635

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-3635

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450330
reference_id	2450330
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450330

reference_url

https://www.cve.org/CVERecord?id=CVE-2026-3635

reference_id

CVERecord?id=CVE-2026-3635

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/

url

https://www.cve.org/CVERecord?id=CVE-2026-3635

reference_url

https://github.com/advisories/GHSA-444r-cwp2-x5xf

reference_id

GHSA-444r-cwp2-x5xf

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-444r-cwp2-x5xf

reference_url

https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf

reference_id

GHSA-444r-cwp2-x5xf

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/

url

https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf

reference_url

https://cna.openjsf.org/security-advisories.html

reference_id

security-advisories.html

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/

url

https://cna.openjsf.org/security-advisories.html

fixed_packages

url pkg:npm/fastify@5.8.3

purl pkg:npm/fastify@5.8.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-64tj-czqk-gyf1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.3

aliases CVE-2026-3635, GHSA-444r-cwp2-x5xf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ar-bpke-2qc2

url VCID-t6pc-rnnq-g3gv

vulnerability_id VCID-t6pc-rnnq-g3gv

summary Denial of service in fastify

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8192

reference_id

reference_type

scores

value	0.00383
scoring_system	epss
scoring_elements	0.60131
published_at	2026-06-12T12:55:00Z

value	0.00383
scoring_system	epss
scoring_elements	0.60024
published_at	2026-06-11T12:55:00Z

value	0.00383
scoring_system	epss
scoring_elements	0.60143
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8192

reference_url

https://github.com/fastify/fastify/commit/74c3157ca90c3ffed9e4434f63c2017471ec970e

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify/commit/74c3157ca90c3ffed9e4434f63c2017471ec970e

reference_url

https://hackerone.com/reports/903521

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/903521

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8192

reference_id

CVE-2020-8192

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8192

reference_url

https://github.com/advisories/GHSA-xw5p-hw6r-2j98

reference_id

GHSA-xw5p-hw6r-2j98

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xw5p-hw6r-2j98

fixed_packages

url pkg:npm/fastify@2.15.1

purl pkg:npm/fastify@2.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6ht9-gg8u-9qax

vulnerability	VCID-76v3-f591-2qdt

vulnerability	VCID-8p2p-977a-qqb6

vulnerability	VCID-f1g6-gvqq-6kbf

vulnerability	VCID-g4ar-bpke-2qc2

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@2.15.1

url pkg:npm/fastify@3.0.0

purl pkg:npm/fastify@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6ht9-gg8u-9qax

vulnerability	VCID-76v3-f591-2qdt

vulnerability	VCID-8p2p-977a-qqb6

vulnerability	VCID-f1g6-gvqq-6kbf

vulnerability	VCID-g4ar-bpke-2qc2

vulnerability	VCID-gmrs-ecv5-6kgm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@3.0.0

aliases CVE-2020-8192, GHSA-xw5p-hw6r-2j98

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t6pc-rnnq-g3gv

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fastify@2.8.0

Package Instance