Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-upxb-saer-nbhg
Summary
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
A path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`).

When Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Aliases
0
alias CVE-2026-2880
1
alias GHSA-8p85-9qpw-fwgw
Fixed_packages
0
url pkg:npm/%40fastify/middie@9.2.0
purl pkg:npm/%40fastify/middie@9.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.2.0
Affected_packages
0
url pkg:npm/%40fastify/middie@8.0.0
purl pkg:npm/%40fastify/middie@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.0.0
1
url pkg:npm/%40fastify/middie@8.1.0
purl pkg:npm/%40fastify/middie@8.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.1.0
2
url pkg:npm/%40fastify/middie@8.2.0
purl pkg:npm/%40fastify/middie@8.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.2.0
3
url pkg:npm/%40fastify/middie@8.3.0
purl pkg:npm/%40fastify/middie@8.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.3.0
4
url pkg:npm/%40fastify/middie@8.3.1
purl pkg:npm/%40fastify/middie@8.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.3.1
5
url pkg:npm/%40fastify/middie@8.3.2
purl pkg:npm/%40fastify/middie@8.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.3.2
6
url pkg:npm/%40fastify/middie@8.3.3
purl pkg:npm/%40fastify/middie@8.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@8.3.3
7
url pkg:npm/%40fastify/middie@9.0.0-pre.fv5.1
purl pkg:npm/%40fastify/middie@9.0.0-pre.fv5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.0-pre.fv5.1
8
url pkg:npm/%40fastify/middie@9.0.0-pre.fv5.2
purl pkg:npm/%40fastify/middie@9.0.0-pre.fv5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.0-pre.fv5.2
9
url pkg:npm/%40fastify/middie@9.0.0
purl pkg:npm/%40fastify/middie@9.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.0
10
url pkg:npm/%40fastify/middie@9.0.1
purl pkg:npm/%40fastify/middie@9.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.1
11
url pkg:npm/%40fastify/middie@9.0.2
purl pkg:npm/%40fastify/middie@9.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.2
12
url pkg:npm/%40fastify/middie@9.0.3
purl pkg:npm/%40fastify/middie@9.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-wnye-62ms-akgc
3
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.0.3
13
url pkg:npm/%40fastify/middie@9.1.0
purl pkg:npm/%40fastify/middie@9.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5sys-zwsu-c7fp
1
vulnerability VCID-upxb-saer-nbhg
2
vulnerability VCID-zc68-ntk2-p3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540fastify/middie@9.1.0
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-2880
reference_id
reference_type
scores
0
value 0.00087
scoring_system epss
scoring_elements 0.24991
published_at 2026-06-07T12:55:00Z
1
value 0.00087
scoring_system epss
scoring_elements 0.24942
published_at 2026-06-09T12:55:00Z
2
value 0.00087
scoring_system epss
scoring_elements 0.24934
published_at 2026-06-08T12:55:00Z
3
value 0.00087
scoring_system epss
scoring_elements 0.25044
published_at 2026-06-06T12:55:00Z
4
value 0.00087
scoring_system epss
scoring_elements 0.25056
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-2880
1
reference_url https://fluidattacks.com/advisories/jimenez
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://fluidattacks.com/advisories/jimenez
2
reference_url https://fluidattacks.com/advisories/policy
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://fluidattacks.com/advisories/policy
3
reference_url https://github.com/fastify/middie
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/fastify/middie
4
reference_url https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4
5
reference_url https://github.com/fastify/middie/releases/tag/v9.2.0
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/fastify/middie/releases/tag/v9.2.0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-2880
reference_id CVE-2026-2880
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-2880
7
reference_url https://github.com/advisories/GHSA-8p85-9qpw-fwgw
reference_id GHSA-8p85-9qpw-fwgw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8p85-9qpw-fwgw
8
reference_url https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw
reference_id GHSA-8p85-9qpw-fwgw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:36Z/
url https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-upxb-saer-nbhg