CVE-2026-33804
| Summary |
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
|
| Publication Date |
April 17, 2026, 12:17 a.m. |
| Registration Date |
April 17, 2026, 4:12 a.m. |
| Last Update |
April 17, 2026, 12:17 a.m. |
|
CVSS3.1 : HIGH
|
| スコア |
7.4
|
| Vector |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 攻撃元区分(AV) |
ネットワーク |
| 攻撃条件の複雑さ(AC) |
高 |
| 攻撃に必要な特権レベル(PR) |
不要 |
| 利用者の関与(UI) |
不要 |
| 影響の想定範囲(S) |
変更なし |
| 機密性への影響(C) |
高 |
| 完全性への影響(I) |
高 |
| 可用性への影響(A) |
なし |
Related information, measures and tools
Common Vulnerabilities List