Skip to content

Commit 23f2ec9

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-72c6-fx6q-fr5w GHSA-gmwr-9j4p-96vm GHSA-v9ww-2j6r-98q6
1 parent 5c51f61 commit 23f2ec9

File tree

3 files changed

+170
-5
lines changed

3 files changed

+170
-5
lines changed

advisories/github-reviewed/2026/04/GHSA-72c6-fx6q-fr5w/GHSA-72c6-fx6q-fr5w.json

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-72c6-fx6q-fr5w",
4+
"modified": "2026-04-16T22:29:04Z",
5+
"published": "2026-04-16T22:29:04Z",
6+
"aliases": [
7+
"CVE-2026-6270"
8+
],
9+
"summary": "@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes",
10+
"details": "### Impact\n\n`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.\n\nThis results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.\n\nThis is the same vulnerability class as [GHSA-hrwm-hgmj-7p9c](https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c) (CVE-2026-33807) in `@fastify/express`.\n\n### Patches\n\nUpgrade to `@fastify/middie` v9.3.2 or later.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@fastify/middie"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "9.3.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 9.3.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w"
49+
},
50+
{
51+
"type": "ADVISORY",
52+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6270"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://cna.openjsf.org/security-advisories.html"
57+
},
58+
{
59+
"type": "PACKAGE",
60+
"url": "https://github.com/fastify/middie"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-436"
66+
],
67+
"severity": "CRITICAL",
68+
"github_reviewed": true,
69+
"github_reviewed_at": "2026-04-16T22:29:04Z",
70+
"nvd_published_at": "2026-04-16T14:16:19Z"
71+
}
72+
}

advisories/unreviewed/2026/04/GHSA-gmwr-9j4p-96vm/GHSA-gmwr-9j4p-96vm.json renamed to advisories/github-reviewed/2026/04/GHSA-gmwr-9j4p-96vm/GHSA-gmwr-9j4p-96vm.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-gmwr-9j4p-96vm",
4-
"modified": "2026-04-16T00:54:04Z",
4+
"modified": "2026-04-16T22:28:24Z",
55
"published": "2026-04-16T00:54:04Z",
66
"aliases": [
77
"CVE-2026-40500"
88
],
9+
"summary": "ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature",
910
"details": "ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "Packagist",
25+
"name": "processwire/processwire"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"last_affected": "3.0.255"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -27,6 +48,10 @@
2748
"type": "WEB",
2849
"url": "https://gist.github.com/thepiyushkumarshukla/7514e5eed526fd9d20fcfc42ce8d0a82"
2950
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/processwire/processwire"
54+
},
3055
{
3156
"type": "WEB",
3257
"url": "https://processwire.com"
@@ -41,8 +66,8 @@
4166
"CWE-918"
4267
],
4368
"severity": "MODERATE",
44-
"github_reviewed": false,
45-
"github_reviewed_at": null,
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-04-16T22:28:24Z",
4671
"nvd_published_at": "2026-04-15T22:17:22Z"
4772
}
4873
}

advisories/github-reviewed/2026/04/GHSA-v9ww-2j6r-98q6/GHSA-v9ww-2j6r-98q6.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-v9ww-2j6r-98q6",
4+
"modified": "2026-04-16T22:28:54Z",
5+
"published": "2026-04-16T22:28:54Z",
6+
"aliases": [
7+
"CVE-2026-33804"
8+
],
9+
"summary": "@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option",
10+
"details": "### Impact\n\n`@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., `//admin/secret`).\n\nThis only affects applications using the deprecated top-level configuration style (`fastify({ ignoreDuplicateSlashes: true })`). Applications using `routerOptions: { ignoreDuplicateSlashes: true }` are not affected.\n\nThis is distinct from [GHSA-8p85-9qpw-fwgw](https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw) (CVE-2026-2880), which was patched in v9.2.0.\n\n### Patches\n\nUpgrade to `@fastify/middie` >= 9.3.2.\n\n### Workarounds\n\nMigrate from deprecated top-level `ignoreDuplicateSlashes: true` to `routerOptions: { ignoreDuplicateSlashes: true }`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@fastify/middie"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "9.3.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 9.3.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6"
45+
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33804"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://cna.openjsf.org/security-advisories.html"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/fastify/middie"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-436"
62+
],
63+
"severity": "HIGH",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2026-04-16T22:28:54Z",
66+
"nvd_published_at": "2026-04-16T15:17:34Z"
67+
}
68+
}

0 commit comments

Comments
 (0)