Executive Summary

CVE-2026-22031 is a security vulnerability in the @fastify/middie middleware package where middleware registered for specific path prefixes can be bypassed by using URL-encoded characters in the request path. The middleware matches paths using regular expressions against the raw, undecoded URL (e.g., '/%61dmin'), while Fastify's internal router decodes the URL before matching routes (e.g., decoding '/%61dmin' to '/admin'). This mismatch causes the middleware to skip execution for encoded URLs, but the route handler still executes, allowing attackers to access protected endpoints without middleware protections like authentication or rate limiting. The issue is fixed in version 9.1.0 by decoding URL paths before middleware matching. [2, 4, 1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass middleware protections such as authentication, authorization, rate limiting, or IP filtering on protected routes. As a result, attackers can gain unauthorized access to sensitive or protected endpoints in applications using @fastify/middie middleware, potentially leading to data breaches, unauthorized actions, or service disruptions. The severity is high with a CVSS v3.1 base score of 8.4. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing if middleware protections are bypassed when accessing URL-encoded paths. For example, if you have middleware protecting the '/admin' path, you can test access by sending requests to both '/admin' and its URL-encoded equivalent '/%61dmin'. If the request to '/admin' is blocked but the request to '/%61dmin' is allowed, the system is vulnerable. Commands to test this could include using curl or similar tools: 1. curl -i http://yourserver/admin 2. curl -i http://yourserver/%61dmin Comparing the responses will indicate if middleware is bypassed for encoded paths. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the @fastify/middie package to version 9.1.0 or later, where the vulnerability is fixed by properly decoding URL paths before matching middleware routes. This ensures that middleware protections cannot be bypassed using URL-encoded characters. Applying this update will align middleware matching with Fastify's route handling and close the bypass. [2, 4, 1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass middleware protections such as authentication, authorization, rate limiting, or IP filtering by exploiting improper handling of URL-encoded characters. As a result, protected endpoints can be accessed without the intended security controls, potentially leading to unauthorized access to sensitive data or systems. Such unauthorized access could cause non-compliance with common standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information. Therefore, the vulnerability poses a risk to compliance by undermining security measures designed to protect data privacy and integrity. [2, 4]

Useful 0 Not Useful 0