CVE-2026-33804 HIGH

CVE-2026-33804: @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Vendor @Fastify/Middie
Product @fastify/middie
Weakness CWE-436
Published April 16, 2026
Last update April 16, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 16, 2026 Record updated