CVE-2026-14181
Received Received - Intake

Denial of Service in Fastify Middie via Malformed Percent-Encoded Paths

Vulnerability report for CVE-2026-14181, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: openjs

Description

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastify middie From 9.1.0 (inc) to 9.3.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14181 vulnerability affects the @fastify/middie package versions 9.1.0 through 9.3.2. It occurs when the standalone engine API is used directly to process incoming request paths containing malformed percent-encoded sequences, such as incomplete percent escapes or truncated multibyte sequences.

These malformed inputs cause the underlying URL decoder to throw an uncaught synchronous exception (URIError), which escapes the normalization step and terminates the Node.js process running the application.

Applications using the Fastify plugin path are not affected because Fastify's error handler catches this exception.

The vulnerability is due to an uncaught exception in the standalone engine's path normalization logic.

Impact Analysis

This vulnerability can cause an immediate denial of service (DoS) for all connected clients of an application using the vulnerable @fastify/middie versions 9.1.0 through 9.3.2 with the standalone engine API.

When a request with a malformed percent-encoded path is received, the Node.js process crashes due to an uncaught exception, causing the application to stop responding until it is manually restarted.

This disrupts availability and service continuity, potentially impacting users and dependent systems.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or unexpected termination of Node.js processes running the @fastify/middie package versions 9.1.0 through 9.3.2 when handling HTTP requests with malformed percent-encoded paths.

Specifically, sending HTTP requests with malformed percent-encoded sequences such as '/%zz', '/%', or truncated multibyte sequences like '/%E2%82' to the affected server can trigger the vulnerability and cause the process to crash.

A simple test command using curl to detect this issue could be:

  • curl -v http://yourserver/%zz
  • curl -v http://yourserver/%
  • curl -v http://yourserver/%E2%82

If the Node.js process crashes or restarts immediately after such requests, it indicates the presence of the vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade the @fastify/middie package to version 9.3.3 or later, where the issue has been patched.

If upgrading is not immediately possible, a workaround is to migrate from using the standalone engine API (e.g., calling middie.run directly) to using the Fastify plugin path (e.g., fastify.register(middie)), as Fastify's error handler catches the exception and prevents the process from crashing.

These steps will prevent the denial of service caused by malformed percent-encoded request paths.

Compliance Impact

The CVE-2026-14181 vulnerability causes a denial of service (DoS) by crashing the Node.js process when malformed percent-encoded paths are processed using the standalone engine API of @fastify/middie. This results in an immediate service disruption for all connected clients until the server is restarted.

While the vulnerability impacts availability, there is no information in the provided context or resources indicating direct effects on data confidentiality or integrity, which are typically critical for compliance with standards like GDPR or HIPAA.

Therefore, the vulnerability primarily affects service availability, which could indirectly impact compliance if service interruptions violate uptime or availability requirements specified by such regulations. However, no explicit linkage to compliance violations or data breaches is stated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart