CVE-2026-14181
Last modified
CVE-2026-14181 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify\/Middie | >= 9.1.0, < 9.3.3 |
References
- https://cna.openjsf.org/security-advisories.htmlVendor Advisory
- https://github.com/fastify/middie/security/advisories/GHSA-qcc9-jh8q-47vhMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-14181?
How severe is CVE-2026-14181?
How do I fix CVE-2026-14181?
Related CVEs from 2026
- CVE-2026-14161Hospital Quening Management developed by Advantech has a Sen…8.7
- CVE-2026-14162Hospital Queuing Management developed by Advantech has a Sen…9.8
- CVE-2026-14164A double free issue has been identified in libarchive's RAR5…7.5
- CVE-2026-1417A weakness has been identified in GPAC up to 2.4.0. Affected…3.3
- CVE-2026-14178openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fm…5.9
- CVE-2026-1418A security vulnerability has been detected in GPAC up to 2.4…7.8
- CVE-2026-1419A weakness has been identified in D-Link DCS700l 1.03.09. Af…7.2
- CVE-2026-14191An out-of-bounds heap write exists in the RAR5 recovery-volu…7.8
- CVE-2026-14193DVP80ES300T with Improper Validation of Array Index Vulnerab…7.5
- CVE-2026-14198@fastify/middie versions 9.1.0 through 9.3.2 decode the enco…9.1
- CVE-2026-1420A flaw has been found in Tenda AC23 16.03.07.52. This impact…9.8
- CVE-2026-14209A vulnerability was discovered in Keycloak's Admin UI extens…4.3
Are you affected by CVE-2026-14181?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
