प्लेटफ़ॉर्म
nodejs
घटक
@fastify/middie
में ठीक किया गया
9.3.2
9.3.2
CVE-2026-33804 affects versions 0.0.0 through 9.3.2 of the @fastify/middie middleware package for Node.js. A normalization gap exists where Fastify's router handles duplicate slashes, but @fastify/middie does not, allowing attackers to bypass middleware using URLs with duplicate leading slashes. Upgrade to version 9.3.2 to resolve this vulnerability.
This vulnerability allows attackers to bypass middleware in Node.js applications using the deprecated top-level ignoreDuplicateSlashes configuration. By crafting URLs with duplicate leading slashes (e.g., //admin/secret), an attacker can circumvent intended middleware protections, potentially accessing sensitive resources or executing unauthorized actions. The impact is particularly severe if critical authentication or authorization checks are implemented within the bypassed middleware. This bypass effectively negates the intended security controls, exposing the application to a wider range of attacks.
This CVE was published on 2026-04-16. No public proof-of-concept (PoC) is currently available. The vulnerability's impact is contingent on the application's configuration and middleware implementation, making widespread exploitation less likely without a readily available exploit. It is not listed on the CISA KEV catalog at the time of writing.
Node.js applications utilizing the deprecated top-level configuration for @fastify/middie are at risk. This includes applications that have not been updated to use the routerOptions configuration style and rely on the ignoreDuplicateSlashes option for URL normalization.
• nodejs / server:
npm list @fastify/middie• nodejs / server:
npm audit @fastify/middie• nodejs / server:
Check application configuration files for ignoreDuplicateSlashes: true at the top level.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade @fastify/middie to version 9.3.2 or later. If upgrading is not immediately feasible, avoid using the deprecated top-level ignoreDuplicateSlashes configuration. Instead, configure ignoreDuplicateSlashes within the routerOptions. Review application code to ensure that critical middleware is not reliant on the ignoreDuplicateSlashes option for security. Consider implementing additional input validation and URL sanitization to further mitigate the risk of bypass.
Actualice a la versión 9.3.2 de @fastify/middie para solucionar esta vulnerabilidad. La vulnerabilidad se produce debido a una lógica de coincidencia de rutas de middleware que no considera la normalización de barras duplicadas. No existen soluciones alternativas más allá de deshabilitar la opción obsoleta ignoreDuplicateSlashes.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33804 describes a vulnerability in @fastify/middie where duplicate slashes can bypass middleware, potentially allowing unauthorized access.
You are affected if you use @fastify/middie versions 0.0.0–9.3.2 and are using the deprecated top-level ignoreDuplicateSlashes configuration.
Upgrade to @fastify/middie version 9.3.2 or later. Alternatively, configure ignoreDuplicateSlashes within routerOptions.
There are currently no reports of active exploitation, but a PoC could emerge.
Refer to the official @fastify/middie repository and related security advisories for the latest information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।