Fastify Middie Fastify Middie vulnerabilities
3 known vulnerabilities affecting fastify/middie_fastify_middie.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3
Vulnerabilities
Page 1 of 1
CVE-2026-6270P2CRITICALCVSS 9.1fixed in 9.3.22026-04-16
CVE-2026-6270 [CRITICAL] CWE-436 CVE-2026-6270: @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child pl
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests
nvd
CVE-2026-33804P2CRITICALCVSS 9.1fixed in 9.3.22026-04-16
CVE-2026-33804 [CRITICAL] CWE-436 CVE-2026-33804: @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated F
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and au
nvd
CVE-2026-2880P2CRITICALCVSS 9.1≥ 0.0.0, < 9.2.02026-02-27
CVE-2026-2880 [CRITICAL] CWE-20 CVE-2026-2880: A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypas
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may
nvd