Climba03003

**Name of the Vulnerable Software and Affected Versions** @fastify/middie versions prior to 9.3.2 **Description** A middleware bypass exists when the deprecated `ignoreDuplicateSlashes` option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by the router, allowing requests with duplicate leading slashes (e.g., '//admin/secret') to bypass authentication and authorization checks. This issue specifically affects applications using the deprecated top-level configuration style `fastify({ ignoreDuplicateSlashes: true })` rather than the `routerOptions` configuration. **Recommendations** Upgrade to @fastify/middie version 9.3.2. As a temporary workaround, migrate from the deprecated top-level `ignoreDuplicateSlashes: true` configuration to `routerOptions: { ignoreDuplicateSlashes: true }` or disable the `ignoreDuplicateSlashes` option.

**Name of the Vulnerable Software and Affected Versions** @fastify/static versions 8.0.0 through 9.1.0 **Description** @fastify/static decodes percent-encoded path separators ('%2F') before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a routing mismatch where route guards or middleware protecting specific paths can be bypassed. For instance, a guard protecting '/admin/*' will not match a request for '/admin%2Fsecret.html', but the software will decode the request and serve the file from '/admin/secret.html'. **Recommendations** Upgrade to @fastify/static version 9.1.1.

**Name of the Vulnerable Software and Affected Versions** @fastify/middie versions prior to 9.3.2 **Description** Inherited middleware is not registered directly on child plugin engine instances. When authentication middleware is registered in a parent scope and child plugins are registered with @fastify/middie, the child scope fails to inherit the parent middleware. This occurs because middleware paths are incorrectly re-prefixed when propagated to child plugin scopes; if a child plugin is registered with a prefix overlapping a parent-scoped middleware path, the path is modified and fails to match incoming requests. Consequently, security controls such as authentication, authorization, and rate limiting are skipped for all routes defined within affected child and nested grandchild plugin scopes, allowing unauthenticated requests to reach those routes. **Recommendations** Upgrade to @fastify/middie version 9.3.2.

**Name of the Vulnerable Software and Affected Versions** @fastify/static versions 8.0.0 through 9.1.0 **Description** Path traversal occurs when directory listing is enabled via the `list` option. The `dirList.path()` function resolves directories outside the configured static root using `path.join()` without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names, although file contents are not disclosed. **Recommendations** Upgrade to version 9.1.1. As a temporary workaround, disable directory listing by removing the `list` option from the plugin configuration.

**Name of the Vulnerable Software and Affected Versions** fastify versions 5.3.2 through 5.8.4 **Description** Applications using `schema.body.content` for per-content-type body validation are subject to a validation bypass. By prepending a space to the Content-Type header, the body is still parsed correctly, but the schema validation is skipped entirely. **Recommendations** Upgrade to version 5.8.5 or later.

**Name of the Vulnerable Software and Affected Versions** @fastify/express versions prior to 4.0.5 **Description** A path handling bug in the `onRegister()` function causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix matching a middleware path, the path is prefixed a second time, preventing it from matching incoming requests. This leads to a complete bypass of Express middleware security controls, such as authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. **Recommendations** Upgrade to version 4.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** @fastify/express versions prior to 4.0.5 **Description** An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated attacker to bypass path-scoped authentication middleware by manipulating the URL path. Specifically, the bypass occurs via duplicate slashes when `ignoreDuplicateSlashes` is enabled, or via semicolon delimiters when `useSemicolonDelimiter` is enabled. In these scenarios, the Fastify router normalizes the URL to match the route, but the original un-normalized URL is passed to Express middleware, causing it to fail to match and be skipped. **Recommendations** Upgrade to @fastify/express v4.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** @fastify/reply-from versions prior to 12.6.2 @fastify/http-proxy versions prior to 11.4.4 **Description** A logic flaw in the header processing pipeline of the Node.js Fastify framework allows unauthenticated remote attackers to bypass security controls. The issue occurs because the `rewriteRequestHeaders()` function processes the client's `Connection` header after the proxy has added its own headers. This allows an attacker to retroactively strip headers added by the proxy for routing, access control, or security purposes by listing them in the `Connection` header value. This can lead to unauthorized modification of protected information or the bypass of proxy identification and authorization mechanisms. **Recommendations** Upgrade @fastify/reply-from to version 12.6.2 or later. Upgrade @fastify/http-proxy to version 11.4.4 or later.