Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (openjs) · only source for this CVE.
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
AnalysisAI
Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
24 hours: Inventory all deployments running @fastify/middie 9.1.0-9.3.2; verify impact scope across production and staging environments; subscribe to CISA alerts and fastify security advisories. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fastify Middie
View all@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instance
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protect
Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauth
Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplica
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40946