@fastify/middie CVE-2026-2880
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 2 npm packages depend on @fastify/middie (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 9.2.0.
DescriptionCVE.org
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
AnalysisAI
Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauthenticated attackers to access protected endpoints by exploiting path normalization inconsistencies. When Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing-slash handling) are enabled, crafted URL paths bypass path-scoped middleware checks while still routing to protected handlers. Confirmed actively exploited (CISA KEV). Patch available in version 9.2.0. EPSS score of 0.17% (38th percentile) suggests limited widespread exploitation despite active use, likely indicating targeted attacks against known vulnerable deployments.
Technical ContextAI
The vulnerability stems from canonicalization drift between @fastify/middie's path matching logic for app.use('/prefix', middleware) and Fastify's find-my-way router normalization. When router options like ignoreDuplicateSlashes or useSemicolonDelimiter are enabled, the middleware layer evaluates a different normalized path than the routing layer. This is a classic CWE-20 (Improper Input Validation) issue where inconsistent path parsing across security boundaries creates a bypass opportunity. The affected package is the official Fastify middleware adapter for Express/Connect-style middleware (npm package @fastify/middie for Node.js, CPE: cpe:2.3:a:fastify:fastify/middie:*:*:*:*:*:node.js:*:*), which enables Express middleware compatibility in Fastify applications.
RemediationAI
Upgrade @fastify/middie to version 9.2.0 or later (npm update @fastify/middie) as released by vendor. Patch commit available at https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4 and vendor advisory at https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw. If immediate upgrade is not feasible, implement compensating controls: (1) Move authentication and authorization logic from path-scoped middie middleware (app.use('/prefix', auth)) to route-level Fastify hooks (onRequest, preHandler) which execute after router normalization, ensuring consistent path evaluation - trade-off is code refactoring effort but eliminates bypass vector entirely. (2) Disable Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing slash handling) if not operationally required - trade-off is potential breakage of existing API contracts that rely on path normalization tolerance. (3) Deploy additional perimeter controls like web application firewall rules to block URLs with duplicate slashes or semicolons targeting protected paths - trade-off is maintenance overhead and potential false positives. Vendor explicitly recommends against relying solely on path-scoped middie guards for security boundaries until patched.
More in Fastify Middie
View all@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instance
Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers rea
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protect
Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplica
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8p85-9qpw-fwgw