CRITICAL🇬🇧 English

CVE-2026-14198

CVSS 9.1v3.1pub. 2026-07-01upd. 2026-07-02

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Fastify Fastify\/middie

    APP
    Fastify
    9.1.0 – 9.3.3 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-6270CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w @fastify/middie — brak dziedziczenia middleware

CVE-2026-14181HIGH7.5ten sam produkt

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone e...

CVE-2026-33804HIGH7.4ten sam produkt

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ign...

CVE-2026-2880HIGH8.2ten sam produkt

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when usi...

CVE-2026-22031HIGH8.4ten sam produkt

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability ex...