Advertisement · 728 × 90

Posts by Ulises Gascón

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option ### Impact `@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a nor...

🚨 High-severity security fix in @fastify/middie@9.3.2 just released!

Patches CVE-2026-33804 — middleware bypass via deprecated ignoreDuplicateSlashes option

github.com/fastify/midd...

3 days ago 0 0 0 0
Preview
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes ### Impact `@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps...

🚨 Critical-severity security fix in @fastify/middie@9.3.2 just released!

Patches CVE-2026-6270 — middleware authentication bypass in child plugin scopes

github.com/fastify/midd...

3 days ago 1 0 0 0
@fastify/static vulnerable to path traversal in directory listing ### Impact `@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `di...

🚨 Medium-severity security fix in @fastify/static@9.1.1 just released!

Patches CVE-2026-6410 — path traversal in directory listing

github.com/fastify/fast...

3 days ago 1 0 0 0
Preview
@fastify/static vulnerable to route guard bypass via encoded path separators ### Impact `@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a...

🚨 Medium-severity security fix in @fastify/static@9.1.1 just released!

Patches CVE-2026-6414 — route guard bypass via encoded path separators

github.com/fastify/fast...

3 days ago 1 0 0 0
Preview
@fastify/static vulnerable to route guard bypass via encoded path separators ### Impact `@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a...

🚨 Medium-severity security fix in @fastify/static@9.1.1 just released!

Patches CVE-2026-6414 — route guard bypass via encoded path separators

github.com/fastify/fast...

3 days ago 0 0 0 0
Preview
Connection header abuse enables stripping of proxy-added headers ### Summary `@fastify/reply-from` and `@fastify/http-proxy` process the client's `Connection` header after the proxy has added its own headers via `rewriteRequestHeaders`. This allows attackers ...

🚨 Critical-severity security fix in @fastify/reply-from@12.6.2 and @fastify/http-proxy@11.4.4 just released!

Patches CVE-2026-33805 — connection header abuse enables stripping of proxy-added headers

github.com/fastify/fast...

4 days ago 1 0 0 0
Preview
Middleware path doubling causes authentication bypass in child plugin scopes ### Summary `@fastify/express` v4.0.4 contains a path handling bug in the `onRegister` function that causes middleware paths to be doubled when inherited by child plugins. This results in comple...

🚨 Critical-severity security fix in @fastify/express@4.0.5 just released!

Patches CVE-2026-33807 — middleware path doubling causes authentication bypass in child plugin scopes

github.com/fastify/fast...

4 days ago 0 0 0 0
Advertisement
Preview
Middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) ### Summary `@fastify/express` v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path...

🚨 Critical-severity security fix in @fastify/express@4.0.5 just released!

Patches CVE-2026-33808 — middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

github.com/fastify/fast...

4 days ago 0 0 0 0
Preview
Body Schema Validation Bypass via Leading Space in Content-Type Header ### Summary A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via `schema.body.content` can be completely circumvented by prepending a single...

🚨 High-severity security fix in fastify@5.8.5 just released!

Patches CVE-2026-33806 — body schema validation bypass via leading space in Content-Type header

github.com/fastify/fast...

4 days ago 2 1 0 0
Newsletter #013: Large Phishing Operations Against Maintainers 🎯 A coordinated phishing campaign is targeting high-impact open source maintainers. Plus: Scorecard v6 evolving into a security evidence engine, 12 CVEs patched across undici, fastify, path-to-regexp an...

🔖 The latest issue of my #newsletter is live, issue 013.

March recap: 12 CVEs across #undici, #Fastify, #Lodash & #pathtoregexp, a state-actor supply chain attack on #axios, and the #Nodejs security bug bounty paused 🔐

blog.ulisesgascon.com/newsletter-i...

5 days ago 1 0 0 0
Bar chart and table showing security advisory reports for Lodash and Express from March 2024 to March 2026. 120 total reports: 32 accepted (26.7%), 84 closed (70%), 4 pending (3.3%). Reports spike sharply in early 2026, reaching 40 in March 2026 alone, with only 7 accepted and 31 closed. Green bars represent accepted advisories, gray bars represent closed, and orange represents pending.

Bar chart and table showing security advisory reports for Lodash and Express from March 2024 to March 2026. 120 total reports: 32 accepted (26.7%), 84 closed (70%), 4 pending (3.3%). Reports spike sharply in early 2026, reaching 40 in March 2026 alone, with only 7 accepted and 31 closed. Green bars represent accepted advisories, gray bars represent closed, and orange represents pending.

🔐 7 out of 10 of #security reports for #Lodash and #Express are invalid.

The current spike is LLM-generated noise eating volunteers' time that should go to releases, features, and real bugs.

1 week ago 3 1 2 0
Screenshot of Newsletter #013 published on GitHub Sponsors, showing the title "Large Phishing Operations Against Maintainers" with a Published badge, the opening paragraph, the beginning of the Axios supply chain compromise section, and a screenshot of phishing emails received by the author.

Screenshot of Newsletter #013 published on GitHub Sponsors, showing the title "Large Phishing Operations Against Maintainers" with a Published badge, the opening paragraph, the beginning of the Axios supply chain compromise section, and a screenshot of phishing emails received by the author.

Just shipped a new newsletter to Sponsors! 🎁

Covers the phishing campaign targeting #opensource maintainers (including myself), Scorecard v6, 12 CVEs patched, and the Node.js bounty program pause 🔐

Get early access & support my OSS work here: github.com/sponsors/Uli...

1 week ago 2 0 0 0

Same here. Open source maintainers are unsung heroes. We need better funding and protection for them. #OpenSource

2 weeks ago 2 1 0 0

This campaign is massive and a great reminder that behind your favorite Open Source dependencies are humans too!

I was also targeted, lucky that it takes me years to check my inbox 💀

2 weeks ago 16 7 2 0
Advertisement
Preview
Node.js — Security Bug Bounty Program Paused Due to Loss of Funding Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

The #Nodejs project's security bug bounty program is being paused due to the discontinuation of its external funding source 😞

nodejs.org/en/blog/anno...

2 weeks ago 14 4 1 3
Preview
Release 4.2.1 · pillarjs/hbs What's Changed chore: add support for OSSF scorecard reporting by @inigomarquinez in #212 ci: apply OSSF Scorecard security best practices by @UlisesGascon in #213 Update README.md by @stefanneuha...

🚀 Just released hbs@4.2.1 📦

🍿 #release details: github.com/pillarjs/hbs...

2 weeks ago 1 0 0 0

HAHAHA! At this rate I should just set up an RSS feed and save everyone the trouble 🫠

2 weeks ago 0 0 1 0
Preview
lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `op...

🚨 High-severity security fix in lodash@4.18.0 just released!

Patches CVE-2026-4800 — lodash vulnerable to Code Injection via _.template imports key names

github.com/lodash/lodas...

2 weeks ago 1 0 1 0
Preview
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/securi...

🚨 Medium-severity security fix in lodash@4.18.0 just released!

Patches CVE-2026-2950 — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit

github.com/lodash/lodas...

2 weeks ago 0 0 0 0
Preview
March 2026 Security Releases Security releases for path-to-regexp have been published. We recommend that all users upgrade as soon as possible.

🔒 Security update: Check out the March 2026 Security Releases for Express

Stay safe out there 🫡

expressjs.com/2026/03/30/s...

2 weeks ago 1 0 0 0
Preview
The Real Supply Chain Risk: Unsupported Dependencies, Overloaded Maintainers | OpenJS Foundation RSAC 2026 Brief from Robin Bender Ginn, Executive Director, OpenJS Foundation

"The biggest supply-chain risk isn’t abandoned code. It’s unsupported ecosystems."

At RSAC 2026, @rginn206.bsky.social outlined a consistent pattern across ecosystems: when maintainer capacity does not scale with dependency usage, security risk increases.

Read more on the blog: bit.ly/3PzHKA0

3 weeks ago 5 1 0 1
Preview
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards ### Impact When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the se...

🚨 Medium-severity security fix in path-to-regexp@8.4.0 just released!

Patches CVE-2026-4923 — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

github.com/pillarjs/pat...

3 weeks ago 0 0 0 0
Preview
path-to-regexp vulnerable to Denial of Service via sequential optional groups ### Impact A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the...

🚨 High-severity security fix in path-to-regexp@8.4.0 just released!

Patches CVE-2026-4926 — path-to-regexp vulnerable to Denial of Service via sequential optional groups

github.com/pillarjs/pat...

3 weeks ago 0 0 0 0
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters ### Impact A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` o...

🚨 High-severity security fix in path-to-regexp@0.1.13 just released!

Patches CVE-2026-4867 — regular Expression Denial of Service via multiple route parameters

github.com/pillarjs/pat...

3 weeks ago 0 0 0 0
Advertisement
Preview
Release 0.1.13 · pillarjs/path-to-regexp Important Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2) Full Changelog: v0.1.12...v.0.1.13

🚀 Just released path-to-regexp@0.1.13 📦

🍿 #release details: github.com/pillarjs/pat...

3 weeks ago 0 0 0 0
Preview
request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function ## Summary When `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: '10.0.0.1'`, a subnet, a hop count, or a custom function), the `request.protoc...

🚨 Moderate-severity security fix in fastify@5.8.3 just released!

Patches CVE-2026-3635 — vulnerable to request (protocol and host) spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

github.com/fastify/fast...

3 weeks ago 0 0 0 0
Preview
a penguin wearing a black hat with the words thank you above it Alt: a penguin wearing a black hat with the words thank you above it

So right! I just added it

1 month ago 1 0 0 0

I have it! blog.ulisesgascon.com/rss.xml. Let me know if this works :)

1 month ago 0 0 1 0
Newsletter #012: New Node.js Release Schedule, AI Stress-Testing Security & CVE Season 🔐 This month we cover the upcoming Node.js release schedule changes starting with 27.x, the growing pressure of AI-generated security reports on maintainers, a heavy CVE triage month, and updates across...

🔖 The latest issue of my #newsletter is live, issue 012.

February in numbers: 5 CVEs patched across #Express & #Fastify, 5 releases shipped, and a hard conversation about whether #opensource security triage is still sustainable in the age of AI 🔐

blog.ulisesgascon.com/newsletter-i...

1 month ago 5 0 1 1
Preview
Malicious WebSocket 64-bit length overflows undici parser and crashes the client ### Impact A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throw...

🚨 High-severity security fix in undici@7.24.0 just released!

Patches CVE-2026-1528 — vulnerable to Malicious WebSocket 64-bit frame length handling could crash the client.

github.com/nodejs/undic...

1 month ago 0 0 0 0