fix(deps): update dependency @fastify/middie to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/middie	^8.3.0 → ^9.0.0

GitHub Vulnerability Alerts

CVE-2026-22031

Summary

A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how middie matches requests against registered middleware paths.

1. Regex Generation: When fastify.use('/admin', ...) is called, middie uses path-to-regexp to generate a regular expression for the path /admin.
2. Request Matching: For every request, middie executes this regular expression against req.url (or req.originalUrl).
3. The Flaw: req.url in Fastify contains the raw, undecoded path string.
   • The generated regex expects a decoded path (e.g., /admin).
   • If a request is sent to /%61dmin, the regex comparison fails (/^\/admin/ does not match /%61dmin).
   • middie assumes the middleware does not apply and calls next().
4. Route Execution: The request proceeds to Fastify's internal router, which performs URL decoding. It correctly identifies /%61dmin as /admin and executes the corresponding route handler.

Incriminated Source Code:
In the provided middie source:

// ... inside Holder function
if (regexp) {
  const result = regexp.exec(url) // <--- 'url' is undecoded.
  if (result) {
    // ... executes middleware ...
  } else {
    that.done() // <--- Middleware skipped on mismatch
  }
}

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register middie for Express-style middleware support
  await fastify.register(require('@​fastify/middie'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3008 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

1. Normal Request (Blocked):

   curl http://localhost:3008/admin
   # Output: Forbidden: Access to /admin is blocked

2. Bypass Request (Successful):

   curl http://localhost:3008/%61dmin
   # Output: {"message":"Admin panel"}

Impact

• Type: Authentication/Authorization Bypass.
• Affected Components: Applications using @fastify/middie to apply security controls (auth, rate limiting, IP filtering) to specific route prefixes.
• Severity: High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

CVE-2026-2880

Summary

A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

Impact

An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, //secret or /secret;foo=bar), depending on router option configuration.

This may lead to unauthorized access to protected functionality and data exposure.

Affected versions

• Confirmed affected: @fastify/middie@9.1.0
• All versions prior to the patch are affected.

Patched versions

• Fixed in: 9.2.0

Details

The issue is caused by canonicalization drift between:

1. @fastify/middie path matching for app.use('/prefix', ...), and
2. Fastify/find-my-way route lookup normalization.

Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.

Workarounds

Until patched version is deployed:

• Avoid relying solely on path-scoped middie guards for auth/authorization.
• Enforce auth at route-level handlers/hooks after router normalization.
• Disable risky normalization combinations only if operationally feasible.

Resources

• Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy
• Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez

Credits

• Cristian Vargas (Fluid Attacks Research Team) — discovery and report.
• Oscar Uribe (Fluid Attacks) — coordination and disclosure.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVE-2026-33804

Impact

@fastify/middie v9.3.1 and earlier does not read the deprecated (but still functional) top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., //admin/secret).

This only affects applications using the deprecated top-level configuration style (fastify({ ignoreDuplicateSlashes: true })). Applications using routerOptions: { ignoreDuplicateSlashes: true } are not affected.

This is distinct from GHSA-8p85-9qpw-fwgw (CVE-2026-2880), which was patched in v9.2.0.

Patches

Upgrade to @fastify/middie >= 9.3.2.

Workarounds

Migrate from deprecated top-level ignoreDuplicateSlashes: true to routerOptions: { ignoreDuplicateSlashes: true }.

Severity

• CVSS Score: 7.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2026-6270

Impact

@fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.

This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.

This is the same vulnerability class as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in @fastify/express.

Patches

Upgrade to @fastify/middie v9.3.2 or later.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

---

Release Notes

fastify/middie (@​fastify/middie)

v9.3.2

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6270 GHSA-72c6-fx6q-fr5w.
This fixes CVE CVE-2026-33804 GHSA-v9ww-2j6r-98q6.

What's Changed

• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​256
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​258
• ci: add lock-threads workflow by @​Fdawgs in #​259

Full Changelog: fastify/middie@v9.3.1...v9.3.2

v9.3.1

Compare Source

What's Changed

• fix: preserve percent-encoding in prefix stripping by @​panva in #​255

Full Changelog: fastify/middie@v9.3.0...v9.3.1

v9.3.0

Compare Source

What's Changed

• chore(license): standardise license notice by @​Fdawgs in #​250
• fix: preserve query string when stripping path prefix by @​panva in #​249
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​253

New Contributors

• @​panva made their first contribution in #​249

Full Changelog: fastify/middie@v9.2.0...v9.3.0

v9.2.0

Compare Source

⚠️ Security Release

Fixes GHSA-8p85-9qpw-fwgw

What's Changed

• ci: remove stale.yml by @​Tony133 in #​247

New Contributors

• @​Tony133 made their first contribution in #​247

Full Changelog: fastify/middie@v9.1.0...v9.2.0

v9.1.0

Compare Source

What's Changed

• build(dependabot): reduce npm updates to monthly by @​Fdawgs in #​228
• chore: rename master to main by @​Fdawgs in #​230
• ci(ci): set job permissions by @​Fdawgs in #​231
• test: migrate from tap to node:test by @​matteo-gobbo in #​229
• chore: remove .taprc by @​Fdawgs in #​232
• ci: set permissions at workflow level by @​Fdawgs in #​233
• ci: restore job level permissions by @​Fdawgs in #​234
• build(deps-dev): bump serve-static from 1.16.2 to 2.2.0 by @​dependabot[bot] in #​235
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in #​236
• chore(license): update date ranges; standardise style by @​Fdawgs in #​237
• build(deps-dev): bump @​types/node from 22.15.34 to 24.0.8 by @​dependabot[bot] in #​238
• chore(tests): removed simple-get by @​ilteoood in #​239
• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​241
• chore(.npmrc): ignore scripts by @​Fdawgs in #​242
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in #​243
• ci(ci): add concurrency config by @​Fdawgs in #​244
• build(deps-dev): bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in #​246
• fix: decode paths before matching by @​kamilmysliwiec in #​245

New Contributors

• @​matteo-gobbo made their first contribution in #​229
• @​ilteoood made their first contribution in #​239
• @​kamilmysliwiec made their first contribution in #​245

Full Changelog: fastify/middie@v9.0.3...v9.1.0

v9.0.3

Compare Source

What's Changed

• build(deps-dev): bump helmet from 7.2.0 to 8.0.0 by @​dependabot in #​217
• refactor(lib/engine): replace var with let by @​Fdawgs in #​218
• build(deps): bump fastify/workflows from 5.0.0 to 5.0.1 by @​dependabot in #​219
• style: remove trailing whitespace by @​Fdawgs in #​220
• docs(readme): update ci badge syntax by @​Fdawgs in #​221
• build(deps-dev): replace standard with neostandard by @​Fdawgs in #​222
• types: use node: prefix for builtins by @​Fdawgs in #​223
• build(deps-dev): bump neostandard from 0.11.9 to 0.12.0 by @​dependabot in #​224
• build(deps-dev): add eslint, peer dep of neostandard by @​Fdawgs in #​225
• refactor: prefix unused params with underscores by @​Fdawgs in #​226
• docs(readme): spelling and grammar fixes by @​Fdawgs in #​227

Full Changelog: fastify/middie@v9.0.2...v9.0.3

v9.0.2

Compare Source

What's Changed

• chore: update fastify to ^5.0.0 by @​Fdawgs in #​216

Full Changelog: fastify/middie@v9.0.1...v9.0.2

v9.0.1

Compare Source

Security

• path-to-regexp is updated to 8.1.0 to prevent ReDOS attack, it is recommended to use the latest version of this package.

What's Changed

• chore: bump path-to-regexp to 8.1.0 by @​climba03003 in #​212

Full Changelog: fastify/middie@v9.0.0...v9.0.1

v9.0.0

Compare Source

What's Changed

• Merge next into master by @​jsumners in #​203
• build(deps): bump @​fastify/error from 3.4.1 to 4.0.0 by @​dependabot in #​205
• build(deps): bump fastify/workflows from 4.1.0 to 4.2.1 by @​dependabot in #​206
• build(deps-dev): bump @​types/node from 20.14.13 to 22.0.0 by @​dependabot in #​208
• build(deps): bump fastify/workflows from 4.2.1 to 5.0.0 by @​dependabot in #​210
• chore: update min fastify version by @​Fdawgs in #​209

New Contributors

• @​jsumners made their first contribution in #​203

Full Changelog: fastify/middie@v8.3.1...v9.0.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.