Skip to main content

@fastify/middie CVE-2026-2880

HIGH
Improper Input Validation (CWE-20)
2026-02-27 ce714d77-add3-4f53-aff5-83d477b104bb GHSA-8p85-9qpw-fwgw
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
May 14, 2026 - 15:57 vuln.today
Analysis Updated
May 14, 2026 - 15:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 14, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 14, 2026 - 15:52 NVD
8.2 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 27, 2026 - 19:16 nvd
N/A

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on @fastify/middie (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 9.2.0.

DescriptionCVE.org

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

AnalysisAI

Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauthenticated attackers to access protected endpoints by exploiting path normalization inconsistencies. When Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing-slash handling) are enabled, crafted URL paths bypass path-scoped middleware checks while still routing to protected handlers. Confirmed actively exploited (CISA KEV). Patch available in version 9.2.0. EPSS score of 0.17% (38th percentile) suggests limited widespread exploitation despite active use, likely indicating targeted attacks against known vulnerable deployments.

Technical ContextAI

The vulnerability stems from canonicalization drift between @fastify/middie's path matching logic for app.use('/prefix', middleware) and Fastify's find-my-way router normalization. When router options like ignoreDuplicateSlashes or useSemicolonDelimiter are enabled, the middleware layer evaluates a different normalized path than the routing layer. This is a classic CWE-20 (Improper Input Validation) issue where inconsistent path parsing across security boundaries creates a bypass opportunity. The affected package is the official Fastify middleware adapter for Express/Connect-style middleware (npm package @fastify/middie for Node.js, CPE: cpe:2.3:a:fastify:fastify/middie:*:*:*:*:*:node.js:*:*), which enables Express middleware compatibility in Fastify applications.

RemediationAI

Upgrade @fastify/middie to version 9.2.0 or later (npm update @fastify/middie) as released by vendor. Patch commit available at https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4 and vendor advisory at https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw. If immediate upgrade is not feasible, implement compensating controls: (1) Move authentication and authorization logic from path-scoped middie middleware (app.use('/prefix', auth)) to route-level Fastify hooks (onRequest, preHandler) which execute after router normalization, ensuring consistent path evaluation - trade-off is code refactoring effort but eliminates bypass vector entirely. (2) Disable Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing slash handling) if not operationally required - trade-off is potential breakage of existing API contracts that rely on path normalization tolerance. (3) Deploy additional perimeter controls like web application firewall rules to block URLs with duplicate slashes or semicolons targeting protected paths - trade-off is maintenance overhead and potential false positives. Vendor explicitly recommends against relying solely on path-scoped middie guards for security boundaries until patched.

Share

CVE-2026-2880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy