Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › fastify@4.29.1Remediation: Upgrade to fastify@5.7.2.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Interpretation Conflict via the Content-Type header processing. An attacker can bypass body validation by appending a tab character (\t) and arbitrary content to the Content-Type header, causing the server to treat the body as the intended type without enforcing validation rules.
Note: This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints.
Workaround
This vulnerability can be mitigated by implementing a custom onRequest hook to reject requests containing tab characters in the Content-Type header.
Remediation
Upgrade fastify to version 5.7.2 or higher.
References
high severity
- Vulnerable module: undici
- Introduced through: mercurius@13.4.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › mercurius@13.4.1 › undici@5.28.3Remediation: Upgrade to mercurius@14.1.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Insecure Randomness due to the use of Math.random(), an insufficiently random value generator, for boundary selection in multipart/form-data requests. An attacker can predict the boundary values and manipulate multipart requests by intercepting and analyzing multiple requests to deduce the random generator pattern.
Note:
This is only exploitable if multipart requests are sent to an attacker-controlled server.
Remediation
Upgrade undici to version 5.28.5, 6.21.1, 7.2.3 or higher.
References
medium severity
new
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › fastify@4.29.1Remediation: Upgrade to fastify@5.7.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the sendWebStream function. An attacker can cause excessive memory consumption by sending a slow or non-reading client request, leading to unbounded buffering and severe performance degradation or process crashes.
Note: Only applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted
Workaround
This vulnerability can be mitigated by avoiding Fastify Web Streams in responses and instead using Node.js streams or buffered payloads.
Remediation
Upgrade fastify to version 5.7.3 or higher.
References
medium severity
- Vulnerable module: undici
- Introduced through: mercurius@13.4.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › mercurius@13.4.1 › undici@5.28.3Remediation: Upgrade to mercurius@15.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.
Remediation
Upgrade undici to version 6.23.0, 7.18.2 or higher.
References
low severity
- Vulnerable module: undici
- Introduced through: mercurius@13.4.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › mercurius@13.4.1 › undici@5.28.3Remediation: Upgrade to mercurius@14.1.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Improper Authorization due to improper handling of Proxy-Authorization headers during cross-origin redirects in certain methods. An attacker can exploit this behavior by inducing a victim to make a request that triggers a cross-origin redirect, potentially leaking sensitive information contained in the Proxy-Authorization header.
Remediation
Upgrade undici to version 5.28.4, 6.11.1 or higher.
References
low severity
- Vulnerable module: undici
- Introduced through: mercurius@13.4.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › mercurius@13.4.1 › undici@5.28.3Remediation: Upgrade to mercurius@14.1.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Improper Access Control due to the integrity option passed to fetch(). An attacker can alter this option, allowing fetch() to accept requests as valid even if they have been tampered with.
Remediation
Upgrade undici to version 5.28.4, 6.11.1 or higher.
References
low severity
- Vulnerable module: undici
- Introduced through: mercurius@13.4.1
Detailed paths
-
Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 › mercurius@13.4.1 › undici@5.28.3Remediation: Upgrade to mercurius@14.1.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper handling of invalid certificate data. An attacker can cause a memory leak by setting up a server with a bad certificate and inducing the application to repeatedly call a webhook-like system.
Remediation
Upgrade undici to version 5.29.0, 6.21.2, 7.5.0 or higher.