HIGH🇵🇱 Wersja polska

CVE-2026-33804

CVSS 7.4v3.1pub. 2026-04-16upd. 2026-05-14

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Fastify Fastify\/middie

    APP
    Fastify
    < 9.3.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-14198CRITICAL9.1ten sam produkt

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before ...

CVE-2026-6270CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w @fastify/middie — brak dziedziczenia middleware

CVE-2026-14181HIGH7.5ten sam produkt

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone e...

CVE-2026-2880HIGH8.2ten sam produkt

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when usi...

CVE-2026-22031HIGH8.4ten sam produkt

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability ex...