← back
CVE-2026-2880

@fastify/middie has an improper path normalization vulnerability

CVSS 8.2 HIGHEPSS 0.4%CWE-20
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
@fastify/middie · @fastify/middie

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw