1. Home
  2. CVE Database
  3. CVE-2026-33804
HIGH · 7.4

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account...

Vulnerability Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
FastifyFastify\/Middie< 9.3.2

Related Weaknesses (CWE)

CWE-436

References

FAQ

What is CVE-2026-33804?

CVE-2026-33804 is a vulnerability with a CVSS score of 7.4 (HIGH). @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account...

How severe is CVE-2026-33804?

CVE-2026-33804 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33804?

Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify\/Middie.