๐Ÿ” CVE Alert

CVE-2026-14198

CRITICAL 9.1

@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.

CWE CWE-436
Vendor @fastify/middie
Product @fastify/middie
Published Jul 1, 2026
Last Updated Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for @fastify/middie @fastify/middie

Be the first to know when new critical vulnerabilities affecting @fastify/middie @fastify/middie are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

@fastify/middie / @fastify/middie
9.1.0 < 9.3.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/fastify/middie/security/advisories/GHSA-2v46-jxjm-7q3v cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” Jvr2022 mcollina UlisesGascon