Fastify
This hub aggregates every CVE we track for Fastify, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
14
CVEs tracked
2
Critical
7
High
0
In CISA KEV
Severity distribution
HIGH7MEDIUM4CRITICAL2LOW1
Monthly trend
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
2
2
3
1
0
2024-072026-06
Latest CVEs
The 14 most recently published vulnerabilities affecting Fastify.
- CVE-2026-42349Clerk: Authorization bypass when combining organization, billing, or reverification checks8.1
- CVE-2026-33807@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes9.1
- CVE-2026-33808@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)9.1
- CVE-2026-33806fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header7.5
- CVE-2026-3635Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function6.1
- CVE-2026-3419Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation5.3
- CVE-2026-25223Fastify's Content-Type header tab character allows body validation bypass7.5
- CVE-2026-25224Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream3.7
- CVE-2025-32442Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass7.5
- CVE-2025-24033@fastify/multipart vulnerable to unlimited consumption of resources7.5
- CVE-2022-41919Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type4.2
- CVE-2022-39288Denial of service in Fastify via Content-Type header7.5
- CVE-2020-8192A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted sc...6.5
- CVE-2018-3711Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.7.5
Product normalization is registry-driven with AI assist and human review. How it works