Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
Fastify Middie versions 9.3.1 and earlier can be bypassed by attackers
CVE-2026-33804
GHSA-v9ww-2j6r-98q6
Summary
A security issue in outdated versions of @fastify/middie allows attackers to bypass security checks. This happens when a specific option is enabled, but it's not recommended to use. To fix it, update to the latest version of @fastify/middie, version 9.3.2 or later. Disabling the problematic option is also a possible temporary solution.
What to do
- Update fastify middie to version 9.3.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | fastify | middie |
<= 9.3.1 Fix: upgrade to 9.3.2
|
Original title
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
Original description
### Impact
`@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., `//admin/secret`).
This only affects applications using the deprecated top-level configuration style (`fastify({ ignoreDuplicateSlashes: true })`). Applications using `routerOptions: { ignoreDuplicateSlashes: true }` are not affected.
This is distinct from [GHSA-8p85-9qpw-fwgw](https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw) (CVE-2026-2880), which was patched in v9.2.0.
### Patches
Upgrade to `@fastify/middie` >= 9.3.2.
### Workarounds
Migrate from deprecated top-level `ignoreDuplicateSlashes: true` to `routerOptions: { ignoreDuplicateSlashes: true }`.
`@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., `//admin/secret`).
This only affects applications using the deprecated top-level configuration style (`fastify({ ignoreDuplicateSlashes: true })`). Applications using `routerOptions: { ignoreDuplicateSlashes: true }` are not affected.
This is distinct from [GHSA-8p85-9qpw-fwgw](https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw) (CVE-2026-2880), which was patched in v9.2.0.
### Patches
Upgrade to `@fastify/middie` >= 9.3.2.
### Workarounds
Migrate from deprecated top-level `ignoreDuplicateSlashes: true` to `routerOptions: { ignoreDuplicateSlashes: true }`.
nvd CVSS3.1
7.4
Vulnerability type
CWE-436
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026