CVE-2026-33804
- EPSS 0.28%
- Veröffentlicht 16.04.2026 13:56:56
- Zuletzt bearbeitet 14.05.2026 15:41:44
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fa...
CVE-2026-6270
- EPSS 0.5%
- Veröffentlicht 16.04.2026 13:44:46
- Zuletzt bearbeitet 14.05.2026 15:41:44
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify...
CVE-2026-2880
- EPSS 0.39%
- Veröffentlicht 27.02.2026 18:25:37
- Zuletzt bearbeitet 14.05.2026 15:41:44
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDup...
CVE-2026-22031
- EPSS 0.46%
- Veröffentlicht 19.01.2026 15:24:45
- Zuletzt bearbeitet 14.05.2026 15:41:44
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded cha...