CVE-2026-33804

HIGH 7.4

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

CWE	CWE-436
Vendor	@fastify/middie
Product	@fastify/middie
Published	Apr 16, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for @fastify/middie @fastify/middie

Be the first to know when new high vulnerabilities affecting @fastify/middie @fastify/middie are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

@fastify/middie / @fastify/middie

0 < 9.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

🔍 FredKSchott mcollina climba03003 UlisesGascon