Platform
nodejs
Component
@fastify/middie
Fixed in
9.3.2
9.3.2
CVE-2026-33804 affects versions 0.0.0 through 9.3.2 of the @fastify/middie middleware package for Node.js. A normalization gap exists where Fastify's router handles duplicate slashes, but @fastify/middie does not, allowing attackers to bypass middleware using URLs with duplicate leading slashes. Upgrade to version 9.3.2 to resolve this vulnerability.
This vulnerability allows attackers to bypass middleware in Node.js applications using the deprecated top-level ignoreDuplicateSlashes configuration. By crafting URLs with duplicate leading slashes (e.g., //admin/secret), an attacker can circumvent intended middleware protections, potentially accessing sensitive resources or executing unauthorized actions. The impact is particularly severe if critical authentication or authorization checks are implemented within the bypassed middleware. This bypass effectively negates the intended security controls, exposing the application to a wider range of attacks.
This CVE was published on 2026-04-16. No public proof-of-concept (PoC) is currently available. The vulnerability's impact is contingent on the application's configuration and middleware implementation, making widespread exploitation less likely without a readily available exploit. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade @fastify/middie to version 9.3.2 or later. If upgrading is not immediately feasible, avoid using the deprecated top-level ignoreDuplicateSlashes configuration. Instead, configure ignoreDuplicateSlashes within the routerOptions. Review application code to ensure that critical middleware is not reliant on the ignoreDuplicateSlashes option for security. Consider implementing additional input validation and URL sanitization to further mitigate the risk of bypass.
Upgrade to version 9.3.2 of @fastify/middie to fix this vulnerability. The vulnerability is due to middleware route matching logic that does not consider duplicate slash normalization. There are no alternative workarounds beyond disabling the deprecated ignoreDuplicateSlashes option.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33804 describes a vulnerability in @fastify/middie where duplicate slashes can bypass middleware, potentially allowing unauthorized access.
You are affected if you use @fastify/middie versions 0.0.0–9.3.2 and are using the deprecated top-level ignoreDuplicateSlashes configuration.
Upgrade to @fastify/middie version 9.3.2 or later. Alternatively, configure ignoreDuplicateSlashes within routerOptions.
There are currently no reports of active exploitation, but a PoC could emerge.
Refer to the official @fastify/middie repository and related security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.