cbcvebase.
CVE-2026-33804
published 2026-04-16

CVE-2026-33804: @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The…

PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.28%
19.5th percentile
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Affected

3 ranges
VendorProductVersion rangeFixed in
fastifyfastify_middie< 9.3.29.3.2
fastifymiddie>= 0 < 9.3.29.3.2
fastifymiddie_fastify_middie< 9.3.29.3.2

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.