CVE-2026-33804
Received Received - Intake
Middleware Bypass in @fastify/middie via Duplicate Slashes

Publication date: 2026-04-16

Last updated on: 2026-04-22

Assigner: openjs

Description
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33804
EUVD
EUVD-2026-23235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openjsf @fastify/middie to 9.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The issue arises because the middleware path matching logic does not properly handle duplicate slashes in URLs, which Fastify's router normally normalizes. As a result, requests containing duplicate slashes can bypass middleware that performs authentication and authorization checks.

This means that if an application uses the deprecated ignoreDuplicateSlashes option, attackers can craft requests with duplicate slashes to circumvent security middleware.

The vulnerability is fixed in @fastify/middie version 9.3.2 by addressing this bypass issue.

Impact Analysis

This vulnerability can have a significant impact by allowing unauthorized users to bypass middleware responsible for authentication and authorization.

As a result, attackers could gain unauthorized access to protected resources or perform actions they should not be allowed to, potentially leading to data breaches or unauthorized operations.

The CVSS score of 7.4 (High) reflects the severity of this issue, indicating a high impact on confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, upgrade @fastify/middie to version 9.3.2 or later.

Alternatively, disable the deprecated ignoreDuplicateSlashes option in Fastify, as there are no other workarounds.

Compliance Impact

This vulnerability allows middleware authentication and authorization checks to be bypassed when the deprecated ignoreDuplicateSlashes option is enabled in @fastify/middie versions 9.3.1 and earlier.

Bypassing authentication and authorization can lead to unauthorized access to sensitive data or functionality, which may result in non-compliance with standards and regulations such as GDPR and HIPAA that require strict access controls and protection of personal or health information.

However, this issue only affects applications using the deprecated ignoreDuplicateSlashes option, and upgrading to version 9.3.2 or disabling this option mitigates the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart