Fastify Middie
CVE-2026-22031
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 npm packages depend on @fastify/middie (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 9.1.0.
DescriptionGitHub Advisory
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.
AnalysisAI
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.
Technical ContextAI
Affects fastify/middie. @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access prot
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Fastify Middie
View all@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instance
Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers rea
Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauth
Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplica
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cxrg-g7r8-w69p