CVE-2026-33804
Middleware Bypass in @fastify/middie via Duplicate Slashes
Publication date: 2026-04-16
Last updated on: 2026-04-22
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openjsf | @fastify/middie | to 9.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The issue arises because the middleware path matching logic does not properly handle duplicate slashes in URLs, which Fastify's router normally normalizes. As a result, requests containing duplicate slashes can bypass middleware that performs authentication and authorization checks.
This means that if an application uses the deprecated ignoreDuplicateSlashes option, attackers can craft requests with duplicate slashes to circumvent security middleware.
The vulnerability is fixed in @fastify/middie version 9.3.2 by addressing this bypass issue.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing unauthorized users to bypass middleware responsible for authentication and authorization.
As a result, attackers could gain unauthorized access to protected resources or perform actions they should not be allowed to, potentially leading to data breaches or unauthorized operations.
The CVSS score of 7.4 (High) reflects the severity of this issue, indicating a high impact on confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade @fastify/middie to version 9.3.2 or later.
Alternatively, disable the deprecated ignoreDuplicateSlashes option in Fastify, as there are no other workarounds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows middleware authentication and authorization checks to be bypassed when the deprecated ignoreDuplicateSlashes option is enabled in @fastify/middie versions 9.3.1 and earlier.
Bypassing authentication and authorization can lead to unauthorized access to sensitive data or functionality, which may result in non-compliance with standards and regulations such as GDPR and HIPAA that require strict access controls and protection of personal or health information.
However, this issue only affects applications using the deprecated ignoreDuplicateSlashes option, and upgrading to version 9.3.2 or disabling this option mitigates the risk.