Vulnerability Report

CVE-2026-33804

Title: Middleware bypass in @fastify/middie

Other

Proof Of Concept

No public PoC currently indexed for CVE-2026-33804.

CWE Category CWE-436

Published Date Apr 16, 2026

Modified Date May 14, 2026

Exploit Status Not Found

Score 7.4 CVSS v3.1

Exploit Probability (EPSS)

0.07%

Vulnerability Summary

CVE-2026-33804: @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Impacted Vendors

openjsf 1

fastify 1

Reference Links

https://cna.openjsf.org/security-advisories.html https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6

CVSS v3.1

Source Entity ce714d77-add3-4f53-aff5-83d477b104bb

Severity HIGH

7.4

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N