Publish Advisories

GHSA-8p85-9qpw-fwgw
GHSA-f2v5-7jq9-h8cg

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-8p85-9qpw-fwgw/GHSA-8p85-9qpw-fwgw.json

@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8p85-9qpw-fwgw",
+  "modified": "2026-02-28T02:47:17Z",
+  "published": "2026-02-28T02:47:17Z",
+  "aliases": [
+    "CVE-2026-2880"
+  ],
+  "summary": "@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware",
+  "details": "## Summary\nA path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`).\n\nWhen Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.\n\n## Impact\nAn unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration.\n\nThis may lead to unauthorized access to protected functionality and data exposure.\n\n## Affected versions\n- Confirmed affected: `@fastify/middie@9.1.0`\n- All versions prior to the patch are affected.\n\n## Patched versions\n- Fixed in: *9.2.0*\n\n## Details\nThe issue is caused by canonicalization drift between:\n1. `@fastify/middie` path matching for `app.use('/prefix', ...)`, and\n2. Fastify/find-my-way route lookup normalization.\n\nBecause middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.\n\n## Workarounds\nUntil patched version is deployed:\n- Avoid relying solely on path-scoped middie guards for auth/authorization.\n- Enforce auth at route-level handlers/hooks after router normalization.\n- Disable risky normalization combinations only if operationally feasible.\n\n## Resources\n- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy\n- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez\n\n## Credits\n- **Cristian Vargas** (Fluid Attacks Research Team) — discovery and report.\n- **Oscar Uribe** (Fluid Attacks) — coordination and disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@fastify/middie"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2880"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fluidattacks.com/advisories/jimenez"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fluidattacks.com/advisories/policy"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/fastify/middie"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/fastify/middie/releases/tag/v9.2.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-28T02:47:17Z",
+    "nvd_published_at": "2026-02-27T19:16:12Z"
+  }
+}

advisories/github-reviewed/2026/02/GHSA-f2v5-7jq9-h8cg/GHSA-f2v5-7jq9-h8cg.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f2v5-7jq9-h8cg",
+  "modified": "2026-02-28T02:46:10Z",
+  "published": "2026-02-28T02:46:10Z",
+  "aliases": [
+    "CVE-2026-28351"
+  ],
+  "summary": "pypdf: Manipulated RunLengthDecode streams can exhaust RAM",
+  "details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.\n\n### Patches\nThis has been fixed in [pypdf==6.7.4](https://github.com/py-pdf/pypdf/releases/tag/6.7.4).\n\n### Workarounds\nIf you cannot upgrade yet, consider applying the changes from PR [#3664](https://github.com/py-pdf/pypdf/pull/3664).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pypdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.7.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/pull/3664"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/py-pdf/pypdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-28T02:46:10Z",
+    "nvd_published_at": "2026-02-27T21:16:19Z"
+  }
+}