Search for packages
| purl | pkg:npm/fastify@0.14.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4pu6-91xp-kud3
Aliases: CVE-2018-3711 GHSA-mq6c-fh97-4gwv |
Denial of Service vulnerability with large JSON payloads in fastify |
Affected by 6 other vulnerabilities. |
|
VCID-6ht9-gg8u-9qax
Aliases: CVE-2026-25224 GHSA-mrq3-vjjr-p77c |
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3. |
Affected by 3 other vulnerabilities. |
|
VCID-76v3-f591-2qdt
Aliases: CVE-2022-29220 GHSA-v5vr-h3xq-8v6w |
github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue. |
Affected by 5 other vulnerabilities. |
|
VCID-8p2p-977a-qqb6
Aliases: CVE-2026-25223 GHSA-jx2c-rxcm-jvmq |
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2. |
Affected by 4 other vulnerabilities. |
|
VCID-f1g6-gvqq-6kbf
Aliases: CVE-2022-39288 GHSA-455w-c45v-86rg |
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers. |
Affected by 4 other vulnerabilities. |
|
VCID-g4ar-bpke-2qc2
Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf |
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations. |
Affected by 1 other vulnerability. |
|
VCID-t6pc-rnnq-g3gv
Aliases: CVE-2020-8192 GHSA-xw5p-hw6r-2j98 |
Denial of service in fastify |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||