@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Basic Information

ID CVE-2026-33804

Source openjs

Published Apr 16, 2026 at 13:56

Modified Apr 16, 2026 at 14:41

Affected Product

Vendor @fastify/middie

Product @fastify/middie

Affected Versions @fastify/middie @fastify/middie 0

CWE Classification

CWE-436

References

{
    "lastseen": "",
    "description": "@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.",
    "published": "2026-04-16T13:56:56.176Z",
    "modified": "2026-04-16T14:41:48.659Z",
    "type": "cve",
    "title": "@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option",
    "source": "openjs",
    "references": "https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6\nhttps://cna.openjsf.org/security-advisories.html",
    "id": "CVE-2026-33804",
    "bulletinFamily": "",
    "cwe": [
        "CWE-436"
    ],
    "cvelist": null,
    "sourceData": "@fastify/middie @fastify/middie 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "@fastify/middie",
    "version": "0",
    "vendor": "@fastify/middie",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option_CVE-2026-33804