VYPR

Fastify\/middie

by Fastify

Source repositories

CVEs (4)

  • CVE-2026-6270CriApr 16, 2026
    risk 0.52cvss 9.1epss 0.01

    @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does…

  • CVE-2026-2880CriFeb 27, 2026
    risk 0.52cvss 9.1epss 0.00

    A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes,…

  • CVE-2026-22031HigJan 19, 2026
    risk 0.48cvss 8.4epss 0.00

    @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin`…

  • CVE-2026-33804HigApr 16, 2026
    risk 0.41cvss 7.4epss 0.00

    @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing…