CVE-2026-2880

UNKNOWN 0.0

@fastify/middie has an improper path normalization vulnerability

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

CWE	CWE-20
Vendor	@fastify/middie
Product	@fastify/middie
Published	Feb 27, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for @fastify/middie @fastify/middie

Be the first to know when new unknown vulnerabilities affecting @fastify/middie @fastify/middie are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

@fastify/middie / @fastify/middie

0.0.0 < 9.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw