Description
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Published: 2026-02-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication/Authorization bypass via improper path normalization
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper path normalization flaw in @fastify/middie that allows crafted request paths to bypass authentication and authorization checks when path‑scoped middleware is used. Attackers can request a protected path such as '/secret' while the middleware is skipped, giving them unintended access. The weakness is classified as CWE‑20, which reflects improper input validation.

Affected Systems

Affected versions are all releases of @fastify/middie earlier than 9.2.0. The product is maintained by OpenJSF and is used by applications built on the Fastify framework. Any deployment that relies on path‑scoped middleware with router normalization enabled is susceptible.

Risk and Exploitability

The flaw has a CVSS score of 8.2, indicating high severity, but the EPSS score is less than 1% so exploitation is still considered unlikely at present. It is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector requires an HTTP client that can control the request path; if router normalization options such as ignoreDuplicateSlashes or useSemicolonDelimiter are enabled, a crafted URL can trick the router into handling the request without executing the middleware.

Generated by OpenCVE AI on April 17, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to @fastify/middie 9.2.0 or newer.
  • Disable or remove router normalization features (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing slash handling) that allow path mangling until the upgrade is applied.
  • If the application requires these features, add additional authentication checks at the route handler level or avoid using path‑scoped middleware for protected resources.

Generated by OpenCVE AI on April 17, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8p85-9qpw-fwgw @fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
History

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openjsf
Openjsf \@fastify\/middie
CPEs cpe:2.3:a:openjsf:\@fastify\/middie:*:*:*:*:*:fastify:*:*
Vendors & Products Openjsf
Openjsf \@fastify\/middie
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify middie
Vendors & Products Fastify
Fastify middie

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Title @fastify/middie has an improper path normalization vulnerability
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fastify Middie
Openjsf \@fastify\/middie
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-02-27T18:56:02.979Z

Reserved: 2026-02-20T16:50:56.850Z

Link: CVE-2026-2880

cve-icon Vulnrichment

Updated: 2026-02-27T18:55:51.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T19:16:12.807

Modified: 2026-03-19T17:30:15.520

Link: CVE-2026-2880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses