DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2880: Authorization Bypass via URL Canonicalization Drift in @fastify/middie

#security #cve #cybersecurity

Authorization Bypass via URL Canonicalization Drift in @fastify/middie

Vulnerability ID: CVE-2026-2880
CVSS Score: 8.2
Published: 2026-02-28

A high-severity authentication bypass vulnerability exists in @fastify/middie, the middleware engine for the Fastify web framework. The flaw stems from a discrepancy in URL path normalization between the middleware matching engine and Fastify's core router. By crafting malicious HTTP requests with specific path anomalies—such as duplicate slashes or semicolon delimiters—an attacker can bypass path-scoped middleware (e.g., authentication or validation layers) while still reaching the intended route handler. This effectively neutralizes security controls applied to specific route prefixes.

TL;DR

Attackers can bypass authentication middleware in Fastify applications using @fastify/middie < 9.2.0 by sending crafted URLs (e.g., //admin). The router normalizes the path and serves the resource, but the middleware engine fails to match the prefix, skipping security checks.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-2880
  • CVSS v4.0: 8.2 (High)
  • CWE ID: CWE-20 (Improper Input Validation)
  • Attack Vector: Network
  • Exploit Status: PoC Available
  • Patch Status: Available (v9.2.0)

Affected Systems

  • @fastify/middie < 9.2.0
  • Fastify applications using path-scoped middleware
  • @fastify/middie: < 9.2.0 (Fixed in: 9.2.0)

Code Analysis

Commit: 140e0dd

Fix: synchronize router options for path normalization

UNKNOWN
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Normalize URL paths consistently across all application layers.
  • Prefer route-level hooks (onRequest) over path-scoped middleware for critical security controls in Fastify.
  • Disable permissive router options like ignoreDuplicateSlashes if strict path matching is required.

Remediation Steps:

  1. Identify if @fastify/middie is present in your dependency tree.
  2. Update @fastify/middie to version 9.2.0 or later immediately.
  3. Verify the update: npm list @fastify/middie should show 9.2.0+.
  4. Audit existing middleware definitions to ensure they do not rely solely on prefix matching if the router is configured loosely.

References

Read the full report for CVE-2026-2880 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)