Fastify/Middie
Approved changes feed: RSS · Atom
cpe:2.3:a:fastify:fastify\/middie:*:*:*:*:*:node.js:*:*
part: a version: * update: *
| Vendor | Fastify (51747187-798b-5030-972d-b19db43759b4) |
|---|---|
| Product | Fastify/Middie (5edfc604-4ed9-5f3a-acd4-ef53c6c22753) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-6270 |
vulnerable | 2026-06-03 15:27:54.985796 |
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
CRITICAL (9.1)
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Published: 2026-04-16T13:44:46.322Z
Updated: 2026-04-16T14:24:26.764Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33804 |
vulnerable | 2026-06-03 15:20:45.739563 |
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
HIGH (7.4)
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
Published: 2026-04-16T13:56:56.176Z
Updated: 2026-04-16T14:41:48.659Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2880 |
vulnerable | 2026-06-03 15:19:25.309808 |
@fastify/middie has an improper path normalization vulnerability
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Published: 2026-02-27T18:25:37.428Z
Updated: 2026-02-27T18:56:02.979Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-22031 |
vulnerable | 2026-06-03 15:15:52.619710 |
Fastify Middie Middleware Path Bypass
HIGH (8.4)
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.
Published: 2026-01-19T15:24:45.899Z
Updated: 2026-01-20T14:45:31.487Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.