CVE-2026-14198
Last modified
CVE-2026-14198 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify\/Middie | >= 9.1.0, < 9.3.3 |
References
- https://cna.openjsf.org/security-advisories.htmlVendor Advisory
- https://github.com/fastify/middie/security/advisories/GHSA-2v46-jxjm-7q3vMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-14198?
How severe is CVE-2026-14198?
How do I fix CVE-2026-14198?
Related CVEs from 2026
- CVE-2026-14178openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fm…5.9
- CVE-2026-1418A security vulnerability has been detected in GPAC up to 2.4…7.8
- CVE-2026-14181@fastify/middie versions 9.1.0 through 9.3.2 fail to guard t…7.5
- CVE-2026-1419A weakness has been identified in D-Link DCS700l 1.03.09. Af…7.2
- CVE-2026-14191An out-of-bounds heap write exists in the RAR5 recovery-volu…7.8
- CVE-2026-14193DVP80ES300T with Improper Validation of Array Index Vulnerab…7.5
- CVE-2026-1420A flaw has been found in Tenda AC23 16.03.07.52. This impact…9.8
- CVE-2026-14209A vulnerability was discovered in Keycloak's Admin UI extens…4.3
- CVE-2026-1421A vulnerability has been found in code-projects Online Exami…5.4
- CVE-2026-1422A vulnerability was found in code-projects Online Examinatio…9.8
- CVE-2026-1423A vulnerability was determined in code-projects Online Exami…9.8
- CVE-2026-1424A vulnerability was identified in PHPGurukul News Portal 1.0…7.2
Are you affected by CVE-2026-14198?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
