CVE-2026-2880

High CVSS: 8.2

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

Vendor

Openjsf

Product

\@fastify\/middie

CWE

CWE-20

Yayın Tarihi

2026-02-27 19:16:12

Güncelleme

2026-03-19 17:30:15

Source Identifier

ce714d77-add3-4f53-aff5-83d477b104bb

KEV Date Added

Kategoriler

CWE-20 \@fastify\/middie HIGH Openjsf 2026

Referanslar

https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw

Benzer Kayıtlar

Medium

CVE-2025-50537

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/sha…

High

CVE-2026-22031

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @f…

High

CVE-2025-57349

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable…