High severity7.4NVD Advisory· Published Apr 16, 2026· Updated May 14, 2026

CVE-2026-33804

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@fastify/middienpm	< 9.3.2	9.3.2

Affected products

Openjsf/Fastifymiddie
cpe:2.3:a:openjsf:\@fastify\/middie:*:*:*:*:*:fastify:*:*
Range: <9.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cna.openjsf.org/security-advisories.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-v9ww-2j6r-98q6ghsaADVISORY
github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6nvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-33804ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000