Description
@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.
Published: 2026-07-01
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a lack of validation of URL paths during the normalization step in the @fastify/middie standalone engine. Malformed percent‑encoded sequences, such as incomplete percent escapes or truncated multibyte characters, trigger a decoder exception that is not caught. Because the exception propagates out of the normalize step, the Node.js event loop is terminated, abruptly shutting down the entire server. This results in a denial of service for all connected clients until the application is restarted, and it is caused by improper error handling (CWE‑248).

Affected Systems

All installations of @fastify/middie between versions 9.1.0 and 9.3.2 that expose the standalone engine API are affected. Applications that invoke middie.run directly with these versions fall within the scope. The vulnerability does not apply to configurations that use the Fastify plugin path, as the framework’s error handler intercepts the exception and prevents process termination.

Risk and Exploitability

The nominal CVSS score of 7.5 indicates high severity. EPSS data is unavailable, so the current exploitation probability cannot be quantified, but given the direct impact of a single crafted HTTP request it remains a concern. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending a request with a malformed percent‑encoded path to any running server using the affected engine. Such an attack requires no special privileges or authentication and can be performed from any network location that can reach the service.

Generated by OpenCVE AI on July 2, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @fastify/middie to version 9.3.3 or newer.
  • If an upgrade is not feasible immediately, refactor the code to remove direct calls to the standalone engine API and instead register routes via the Fastify plugin path.
  • After applying the changes, test the application by sending malformed percent‑encoded URLs to confirm that the server no longer crashes.

Generated by OpenCVE AI on July 2, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 11:45:00 +0000

Type Values Removed Values Added
Description @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.
Title @fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-encoded paths
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-07-01T12:05:42.403Z

Reserved: 2026-06-30T08:01:38.033Z

Link: CVE-2026-14181

cve-icon Vulnrichment

Updated: 2026-07-01T12:05:35.652Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T10:45:03Z

Weaknesses