CVE-2026-33804

216.73.217.22

· Published 16/04/2026 15:17 · Modified 17/04/2026 15:17

Labels: CVE-2026-33804 2026-04-16 CVE-2026-33804 CWE-436 ce714d77-add3-4f53-aff5-83d477b104bb

Essential information

Published: 16/04/2026 15:17
Modified: 17/04/2026 15:17
Author: —
Creator: —
CVSS: 7.4 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: ce714d77-add3-4f53-aff5-83d477b104bb
NVD: View on NVD

Affected products (CPE)

Product	CPE
fastify / middie	`cpe:2.3:a:fastify:middie:9.3.1:::::::*`
fastify / middie	`cpe:2.3:a:fastify:middie:<9.3.2:::::::*`