Skip to main content

Fastify Middie

6 CVEs product

Monthly

CVE-2026-14181 HIGH PATCH This Week

Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process by sending request paths with malformed percent-encoded sequences. The standalone engine's URL normalization step fails to catch a synchronous decoder exception, terminating the process and taking down all connected clients until manual restart. Only applications that invoke middie.run directly on the standalone engine API are affected; there is no public exploit identified at time of analysis, and no EPSS or KEV data was provided.

Node.js Denial Of Service Fastify Middie
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14198 CRITICAL PATCH Act Now

Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. No public exploit identified at time of analysis; the flaw is method-agnostic and requires no special preconditions, and the vendor rates it CVSS 9.1.

Authentication Bypass Canonical Fastify Middie
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-33804 npm HIGH PATCH GHSA This Week

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Authentication Bypass Fastify Middie
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-6270 npm CRITICAL PATCH GHSA Act Now

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Middie
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-2880 npm HIGH PATCH This Week

Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauthenticated attackers to access protected endpoints by exploiting path normalization inconsistencies. When Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing-slash handling) are enabled, crafted URL paths bypass path-scoped middleware checks while still routing to protected handlers. Confirmed actively exploited (CISA KEV). Patch available in version 9.2.0. EPSS score of 0.17% (38th percentile) suggests limited widespread exploitation despite active use, likely indicating targeted attacks against known vulnerable deployments.

Authentication Bypass Fastify Middie
NVD GitHub
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-22031 npm HIGH PATCH This Week

Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.

Authentication Bypass Fastify Middie
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process by sending request paths with malformed percent-encoded sequences. The standalone engine's URL normalization step fails to catch a synchronous decoder exception, terminating the process and taking down all connected clients until manual restart. Only applications that invoke middie.run directly on the standalone engine API are affected; there is no public exploit identified at time of analysis, and no EPSS or KEV data was provided.

Node.js Denial Of Service Fastify Middie
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication and authorization bypass in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers reach protected parameterized route handlers by placing an encoded slash (%2F) in a path parameter. The middleware layer decodes %2F before matching while Fastify's router preserves the encoding, so the two disagree on the canonical path and any middie-based auth, authz, rate-limiting, or auditing middleware silently fails to run while the route handler still fires. No public exploit identified at time of analysis; the flaw is method-agnostic and requires no special preconditions, and the vendor rates it CVSS 9.1.

Authentication Bypass Canonical Fastify Middie
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Authentication Bypass Fastify Middie
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Middie
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication and authorization bypass in @fastify/middie (Node.js middleware library for Fastify) allows remote unauthenticated attackers to access protected endpoints by exploiting path normalization inconsistencies. When Fastify router normalization options (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing-slash handling) are enabled, crafted URL paths bypass path-scoped middleware checks while still routing to protected handlers. Confirmed actively exploited (CISA KEV). Patch available in version 9.2.0. EPSS score of 0.17% (38th percentile) suggests limited widespread exploitation despite active use, likely indicating targeted attacks against known vulnerable deployments.

Authentication Bypass Fastify Middie
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.

Authentication Bypass Fastify Middie
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy