Vulnerability Report

CVE-2026-22031

Title: Middleware Bypass in @fastify/middie

Other

Proof Of Concept

No public PoC currently indexed for CVE-2026-22031.

CWE Category CWE-177

Published Date Jan 19, 2026

Modified Date May 14, 2026

Exploit Status Not Found

Score 8.4 CVSS v3.1

Exploit Probability (EPSS)

0.14%

Vulnerability Summary

CVE-2026-22031: @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.

Impacted Vendors

openjsf 1

fastify 1

Reference Links

https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba https://github.com/fastify/middie/pull/245 https://github.com/fastify/middie/releases/tag/v9.1.0 https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.4

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L