fix: decode paths before matching#245
Merged
mcollina merged 4 commits intofastify:mainfrom Jan 3, 2026
Merged
Conversation
kibertoad
reviewed
Dec 29, 2025
gurgunday
reviewed
Jan 2, 2026
Member
gurgunday
left a comment
gurgunday
left a comment
There was a problem hiding this comment.
lgtm
can you run npm run lint:fix?
Member
|
@kamilmysliwiec in the future, please report vulnerability privately. |
Eomm
changed the title
Signed-off-by: Manuel Spigolon <behemoth89@gmail.com>
Contributor
Author
|
@mcollina i was informed that the vulnerability has already been submitted privately - i wasn't the one who found it |
Member
https://github.com/fastify/fastify/blob/main/SECURITY.md#publication
|
mcollina
added a commit
to fastify/fastify-express
that referenced
this pull request
Jan 3, 2026
URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath() to decode URLs before Express matches middleware, consistent with the fix in fastify/middie#245.
4 tasks
Eomm
added a commit
to fastify/fastify-express
that referenced
this pull request
Jan 5, 2026
* fix: decode paths before matching URL-encoded paths could bypass middleware (e.g., /%61dmin would bypass middleware registered on /admin). This uses FindMyWay.sanitizeUrlPath() to decode URLs before Express matches middleware, consistent with the fix in fastify/middie#245. * fix: handle express handlers (#175) --------- Co-authored-by: Manuel Spigolon <manuel.spigolon@nearform.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix on the NestJS side nestjs/nest#16135
if someone calls
your-api:3000/%61dmin, no middleware will be triggered, even though the/adminendpoint (handler) would be executed (asfind-my-waydecode URLs before matching routes)credit for reporting this issue goes to Hacktron AI
Checklist
npm run test && npm run benchmark --if-presentand the Code of conduct