CVE-2026-14198
Received Received - Intake

@fastify/middie Path Parameter Decoding Bypass

Vulnerability report for CVE-2026-14198, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: openjs

Description

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fastify middie From 9.1.0 (inc) to 9.3.2 (inc)
openjs_foundation on-headers *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14198 vulnerability affects the @fastify/middie package versions 9.1.0 through 9.3.2. It occurs because the middleware decodes the encoded slash (%2F) inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. This mismatch causes the middleware to fail to match URLs that the route handler would normally match.

As a result, an attacker can craft a URL containing an encoded slash in a parameter position to bypass middleware protections such as authentication, authorization, rate limiting, or auditing. This bypass allows the attacker to reach protected handlers without requiring authentication or special conditions.

The vulnerability is HTTP method agnostic and can be mitigated by upgrading to @fastify/middie version 9.3.3 or later, avoiding parameterized middleware paths for security decisions, or enforcing authentication at the route handler or via a Fastify hook after the router resolves the request.

Impact Analysis

This vulnerability can have a critical impact by allowing attackers to bypass middleware protections such as authentication, authorization, rate limiting, or auditing on parameterized paths.

An attacker can reach protected route handlers without any authentication or special preconditions by sending a specially crafted URL with an encoded slash in the parameter position.

This can lead to unauthorized access to sensitive data or functionality, compromising confidentiality and integrity of the application.

Detection Guidance

This vulnerability involves the bypass of middleware path matching due to decoding of encoded slashes (%2F) in path parameters. Detection would involve identifying requests with encoded slashes in parameter positions that reach protected route handlers without proper authentication or authorization.

You can monitor your web server or application logs for requests containing encoded slashes (%2F) in URL parameters, especially on parameterized routes used for authentication or authorization.

Example commands to detect such requests in logs might include:

  • Using grep to find encoded slashes in access logs: grep '%2F' /path/to/access.log
  • Using curl to test if the server improperly allows access with encoded slashes: curl -i 'http://yourserver/user/a%2Fb/comments'
  • Using network monitoring tools or IDS to flag HTTP requests with encoded slashes in parameter positions.
Mitigation Strategies

The primary mitigation is to upgrade the @fastify/middie package to version 9.3.3 or later, where this vulnerability is patched.

If upgrading immediately is not possible, you can apply workarounds such as:

  • Avoid using parameterized middleware paths for security decisions like authentication or authorization.
  • Enforce authentication and authorization at the route handler level or via a Fastify hook that runs after the router has resolved the request.
Compliance Impact

The CVE-2026-14198 vulnerability allows an attacker to bypass authentication and authorization protections by exploiting a mismatch in URL path decoding between middleware and the Fastify router. This bypass can lead to unauthorized access to protected handlers, potentially exposing sensitive data or allowing unauthorized actions.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, if this vulnerability is exploited, it could result in violations of these regulations due to failure to adequately protect confidentiality and integrity of data.

Mitigation by upgrading to @fastify/middie version 9.3.3 or applying recommended workarounds is essential to maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart