Threats Tagged 'cwe-177'
View all threats tagged with 'cwe-177'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cwe-177'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-29045: CWE-177: Improper Handling of URL Encoding (Hex Encoding) in honojs honoCVE-2026-29045 0 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4. Join the discussion | CVE Database V5 | 03/04/2026, 22:09:22 UTC Added: 03/04/2026, 22:18:20 UTC |
CVE-2026-22037: CWE-177: Improper Handling of URL Encoding (Hex Encoding) in fastify fastify-expressCVE-2026-22037 0 The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. Join the discussion | CVE Database V5 | 01/19/2026, 16:48:10 UTC Added: 01/19/2026, 19:03:08 UTC |
CVE-2026-22031: CWE-177: Improper Handling of URL Encoding (Hex Encoding) in fastify middieCVE-2026-22031 0 CVE-2026-22031 is a high-severity vulnerability in the @fastify/middie plugin prior to version 9. 1. 0 that allows bypassing middleware protections via URL-encoded path prefixes. The middleware fails to decode URL-encoded characters when matching paths, while Fastify's router correctly decodes them, enabling attackers to access protected routes without middleware enforcement. This can lead to unauthorized access, compromising confidentiality and integrity of applications using vulnerable versions. The vulnerability requires network access and low privileges but no user interaction. Although no known exploits are reported, the impact on affected systems is significant. Upgrading to version 9. 1. 0 or later mitigates the issue. Join the discussion | CVE Database V5 | 01/19/2026, 15:24:45 UTC Added: 01/19/2026, 15:41:45 UTC |
Showing 1 to 3 of 3 results