CVE-2026-33804 - Vulnerability Details

- @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Published: 2026-04-16

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to bypass middleware authentication and authorization checks by sending requests that contain duplicate slashes, exploiting a mismatch between Fastify’s router normalisation and the middleware path matching logic when the deprecated ignoreDuplicateSlashes option is enabled. This can allow unauthorised access to protected resources or API endpoints.

Affected Systems

The affected component is the @fastify/middie library, versions 9.3.1 and earlier. Applications that include these versions and enable the ignoreDuplicateSlashes configuration option are vulnerable. The issue does not exist in @fastify/middie 9.3.2 or later, nor in applications that do not use the deprecated option.

Risk and Exploitability

With a CVSS score of 7.4, the vulnerability is considered high‑medium risk. No EPSS data is available, and it is not listed in the CISA known exploited vulnerabilities catalog. The attack vector is local to the web application context and requires an attacker to craft a URL containing duplicate slashes; the patch is only effective when the ignoreDuplicateSlashes option is enabled. If the option is disabled, the vulnerability cannot be exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

@fastify/middie

unaffected

Version	Status	Constraints
`0`	affected	< 9.3.2
`9.3.2`	unaffected	—

No data.

Vendor Product Confidence Versions

Fastify

Middie

100%

Version	Status	Scheme	Platform
`[0,9.3.2)`	affected	generic	—
`9.3.2`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the @fastify/middie dependency to 9.3.2 or newer.
If upgrading immediately is not possible, disable the ignoreDuplicateSlashes configuration option so that the router no longer normalises duplicate slashes.
Audit the application configuration to ensure that the ignoreDuplicateSlashes setting is not enabled in any environment or configuration file.

Generated by OpenCVE AI on April 17, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v9ww-2j6r-98q6	@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6

History

Thu, 16 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastify Fastify middie
Vendors & Products		Fastify Fastify middie

Thu, 16 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 16 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
Title		@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
Weaknesses		CWE-436
References		https://cna.openjsf.org/security-advisories.html https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Fastify Middie

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-04-16T13:56:56.176Z

Updated: 2026-04-16T14:41:48.659Z

Reserved: 2026-03-23T19:48:48.714Z

Link: CVE-2026-33804

Vulnrichment

Updated: 2026-04-16T14:41:41.714Z

NVD

Status : Undergoing Analysis

Published: 2026-04-16T15:17:34.633

Modified: 2026-04-17T15:17:00.957

Link: CVE-2026-33804

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T04:15:09Z

Weaknesses

CWE-436

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object