CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cna.openjsf.org/security-advisories.html	Vendor Advisory
https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openjsf:\@fastify\/middie:*:*:*:*:*:fastify:*:*

History

22 Apr 2026, 17:30

Type	Values Removed	Values Added
References	~~() https://cna.openjsf.org/security-advisories.html -~~	() https://cna.openjsf.org/security-advisories.html - Vendor Advisory
References	~~() https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 -~~	() https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 - Mitigation, Vendor Advisory
First Time		Openjsf \@fastify\/middie Openjsf
CPE		cpe:2.3:a:openjsf:\@fastify\/middie::::::fastify::*

16 Apr 2026, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-16 15:17

Updated : 2026-04-22 17:30

NVD link : CVE-2026-33804

Mitre link : CVE-2026-33804

CVE.ORG link : CVE-2026-33804

JSON object : View

Products Affected

openjsf

\@fastify\/middie

CWE

CWE-436

Interpretation Conflict

{"id": "CVE-2026-33804", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-04-16T15:17:34.633", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6", "tags": ["Mitigation", "Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option."}], "lastModified": "2026-04-22T17:30:47.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openjsf:\\@fastify\\/middie:*:*:*:*:*:fastify:*:*", "vulnerable": true, "matchCriteriaId": "889CB205-5472-4C03-9928-219ED80AC0ED", "versionEndExcluding": "9.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}