Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Fastify Middie Authentication Bypass via Specially Crafted URLs
CVE-2026-2880
GHSA-8p85-9qpw-fwgw
Summary
A bug in Fastify Middie can allow unauthorized access to protected areas of a website by manipulating URLs. This could lead to sensitive data being exposed. To fix this, update to the latest version of Fastify Middie or use alternative authentication methods to ensure protected areas remain secure.
What to do
- Update fastify middie to version 9.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fastify | middie | <= 9.2.0 | 9.2.0 |
Original title
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
Original description
## Summary
A path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`).
When Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
## Impact
An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration.
This may lead to unauthorized access to protected functionality and data exposure.
## Affected versions
- Confirmed affected: `@fastify/[email protected]`
- All versions prior to the patch are affected.
## Patched versions
- Fixed in: *9.2.0*
## Details
The issue is caused by canonicalization drift between:
1. `@fastify/middie` path matching for `app.use('/prefix', ...)`, and
2. Fastify/find-my-way route lookup normalization.
Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.
## Workarounds
Until patched version is deployed:
- Avoid relying solely on path-scoped middie guards for auth/authorization.
- Enforce auth at route-level handlers/hooks after router normalization.
- Disable risky normalization combinations only if operationally feasible.
## Resources
- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy
- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez
## Credits
- **Cristian Vargas** (Fluid Attacks Research Team) — discovery and report.
- **Oscar Uribe** (Fluid Attacks) — coordination and disclosure.
A path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`).
When Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
## Impact
An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration.
This may lead to unauthorized access to protected functionality and data exposure.
## Affected versions
- Confirmed affected: `@fastify/[email protected]`
- All versions prior to the patch are affected.
## Patched versions
- Fixed in: *9.2.0*
## Details
The issue is caused by canonicalization drift between:
1. `@fastify/middie` path matching for `app.use('/prefix', ...)`, and
2. Fastify/find-my-way route lookup normalization.
Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.
## Workarounds
Until patched version is deployed:
- Avoid relying solely on path-scoped middie guards for auth/authorization.
- Enforce auth at route-level handlers/hooks after router normalization.
- Disable risky normalization combinations only if operationally feasible.
## Resources
- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy
- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez
## Credits
- **Cristian Vargas** (Fluid Attacks Research Team) — discovery and report.
- **Oscar Uribe** (Fluid Attacks) — coordination and disclosure.
nvd CVSS4.0
8.2
Vulnerability type
CWE-20
Improper Input Validation
- https://nvd.nist.gov/vuln/detail/CVE-2026-2880
- https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d...
- https://fluidattacks.com/advisories/jimenez
- https://fluidattacks.com/advisories/policy
- https://github.com/fastify/middie/releases/tag/v9.2.0
- https://github.com/advisories/GHSA-8p85-9qpw-fwgw
- https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026