The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade @fastify/express to version 4.0.7 or higher.
@fastify/express is an Express compatibility layer for Fastify
Affected versions of this package are vulnerable to Incorrect Behavior Order due to incorrect mount path prefix rewriting in the use() middleware handling. An attacker can reach protected routes without the intended middleware by sending requests under a prefixed plugin where use() was registered with an array of paths or a RegExp path. In affected prefixed plugins, middleware paths were not consistently rewritten to include the Fastify prefix, so route-specific checks, such as authentication or blocking logic, did not run on the prefixed endpoint. This allows unauthenticated requests to reach handlers that were meant to be guarded, exposing protected data or functionality.
Notes
use() is given a non-string mount path such as an array or RegExp.Workarounds
RegExp paths.use() calls for each path, for example admin.use('/private', authMiddleware) and admin.use('/settings', authMiddleware) instead of admin.use(['/private', '/settings'], authMiddleware).