CVE-2026-33804CRITICAL 9.1EPSS p19.3%

CVE-2026-33804CVE-2026-33804

Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.28% probability of exploitation · percentile 19.3% · 2026-06-19T12:03:05Z
Published2026-04-16
Last modified2026-05-14

Underlying weaknesses· 1

CWE-436

References

  1. https://cna.openjsf.org/security-advisories.html
  2. https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6

1

TypeTargetConfidenceTier
WeaknessInterpretation Conflictcwe-4360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33808
CVE
CVE-2026-2880
CVE
CVE-2026-22031
CVE
CVE-2026-33807
CVE
CVE-2026-22037
CVE
CVE-2026-6270
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.