Impact
The vulnerability arises from a lack of validation of URL paths during the normalization step in the @fastify/middie standalone engine. Malformed percent‑encoded sequences, such as incomplete percent escapes or truncated multibyte characters, trigger a decoder exception that is not caught. Because the exception propagates out of the normalize step, the Node.js event loop is terminated, abruptly shutting down the entire server. This results in a denial of service for all connected clients until the application is restarted, and it is caused by improper error handling (CWE‑248).
Affected Systems
All installations of @fastify/middie between versions 9.1.0 and 9.3.2 that expose the standalone engine API are affected. Applications that invoke middie.run directly with these versions fall within the scope. The vulnerability does not apply to configurations that use the Fastify plugin path, as the framework’s error handler intercepts the exception and prevents process termination.
Risk and Exploitability
The nominal CVSS score of 7.5 indicates high severity. EPSS data is unavailable, so the current exploitation probability cannot be quantified, but given the direct impact of a single crafted HTTP request it remains a concern. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending a request with a malformed percent‑encoded path to any running server using the affected engine. Such an attack requires no special privileges or authentication and can be performed from any network location that can reach the service.
OpenCVE Enrichment