CVE-2026-33804
Last modified
CVE-2026-33804 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. EPSS estimates a 0.28% chance of exploitation in the next 30 days.
Description
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify\/Middie | < 9.3.2 |
References
- https://cna.openjsf.org/security-advisories.htmlVendor Advisory
- https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33804?
How severe is CVE-2026-33804?
How do I fix CVE-2026-33804?
Are you affected by CVE-2026-33804?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST