CVE-2026-33804
published 2026-04-16CVE-2026-33804: @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.28%
19.5th percentile
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fastify | fastify_middie | < 9.3.2 | 9.3.2 |
| fastify | middie | >= 0 < 9.3.2 | 9.3.2 |
| fastify | middie_fastify_middie | < 9.3.2 | 9.3.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
fastify middie up to 9.3.1 interpretation conflict
vuldb·2026-04-16·CVSS 7.4
CVE-2026-33804 [HIGH] fastify middie up to 9.3.1 interpretation conflict
A vulnerability, which was classified as problematic, has been found in fastify middie up to 9.3.1. The impacted element is an unknown function. This manipulation causes interpretation conflict.
This vulnerability is registered as CVE-2026-33804. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
ghsa·2026-04-16·CVSS 8.2
CVE-2026-33804 [HIGH] CWE-436 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
### Impact
`@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., `//admin/secret`).
This only affects applications using the deprecated top-level configuration style (`fastify({ ignoreDuplicateSlashes: true })`). Applications using `routerOptions: { ignoreDuplicateSlashes: true }` are not affected.
This is distinct from [GHSA-8p85-9qpw-fwgw](https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fw
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published