GHSA-8P85-9QPW-FWGW
Vulnerability from github – Published: 2026-02-28 02:47 – Updated: 2026-02-28 02:47Summary
A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Impact
An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, //secret or /secret;foo=bar), depending on router option configuration.
This may lead to unauthorized access to protected functionality and data exposure.
Affected versions
- Confirmed affected:
@fastify/middie@9.1.0 - All versions prior to the patch are affected.
Patched versions
- Fixed in: 9.2.0
Details
The issue is caused by canonicalization drift between:
1. @fastify/middie path matching for app.use('/prefix', ...), and
2. Fastify/find-my-way route lookup normalization.
Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.
Workarounds
Until patched version is deployed: - Avoid relying solely on path-scoped middie guards for auth/authorization. - Enforce auth at route-level handlers/hooks after router normalization. - Disable risky normalization combinations only if operationally feasible.
Resources
- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy
- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez
Credits
- Cristian Vargas (Fluid Attacks Research Team) — discovery and report.
- Oscar Uribe (Fluid Attacks) — coordination and disclosure.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fastify/middie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2880"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:47:17Z",
"nvd_published_at": "2026-02-27T19:16:12Z",
"severity": "HIGH"
},
"details": "## Summary\nA path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use(\u0027/secret\u0027, auth)`).\n\nWhen Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.\n\n## Impact\nAn unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration.\n\nThis may lead to unauthorized access to protected functionality and data exposure.\n\n## Affected versions\n- Confirmed affected: `@fastify/middie@9.1.0`\n- All versions prior to the patch are affected.\n\n## Patched versions\n- Fixed in: *9.2.0*\n\n## Details\nThe issue is caused by canonicalization drift between:\n1. `@fastify/middie` path matching for `app.use(\u0027/prefix\u0027, ...)`, and\n2. Fastify/find-my-way route lookup normalization.\n\nBecause middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.\n\n## Workarounds\nUntil patched version is deployed:\n- Avoid relying solely on path-scoped middie guards for auth/authorization.\n- Enforce auth at route-level handlers/hooks after router normalization.\n- Disable risky normalization combinations only if operationally feasible.\n\n## Resources\n- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy\n- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez\n\n## Credits\n- **Cristian Vargas** (Fluid Attacks Research Team) \u2014 discovery and report.\n- **Oscar Uribe** (Fluid Attacks) \u2014 coordination and disclosure.",
"id": "GHSA-8p85-9qpw-fwgw",
"modified": "2026-02-28T02:47:17Z",
"published": "2026-02-28T02:47:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2880"
},
{
"type": "WEB",
"url": "https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/jimenez"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/policy"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/middie"
},
{
"type": "WEB",
"url": "https://github.com/fastify/middie/releases/tag/v9.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.