CVE-2026-22031 Overview
A security vulnerability exists in @fastify/middie, the plugin that adds middleware support to Fastify web framework. This authorization bypass vulnerability allows attackers to circumvent middleware-based access controls by exploiting inconsistent URL decoding between the middleware engine and the underlying Fastify router.
The vulnerability enables attackers to bypass path-based middleware protections using URL-encoded characters. For example, a protected /admin endpoint can be accessed using /%61dmin (where %61 is the URL-encoded form of 'a'). The middleware engine fails to match the encoded path and skips execution, while Fastify's router correctly decodes the path and routes the request to the protected handler.
Critical Impact
Attackers can bypass authentication and authorization middleware to access protected endpoints, potentially exposing sensitive administrative functions and data without proper security constraints.
Affected Products
- @fastify/middie versions prior to 9.1.0
- Fastify applications using path-based middleware protection
- Node.js web applications relying on @fastify/middie for access control
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-22031 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-22031
Vulnerability Analysis
This vulnerability stems from a path matching inconsistency between the middleware engine and Fastify's routing layer. When middleware is registered with a specific path prefix (such as /admin), the middleware engine performs path matching against the raw, encoded URL. However, Fastify's internal router (find-my-way) decodes URL-encoded characters before matching routes.
This creates a security gap where an attacker can craft a request with URL-encoded path segments that bypass middleware checks while still being correctly routed to the intended handler. The attack requires network access and low privileges, but can result in unauthorized access to protected resources with potential cross-scope impact.
Root Cause
The root cause is classified under CWE-177 (Improper Handling of URL Encoding). The middleware engine was not decoding URL-encoded paths before performing prefix matching, creating an inconsistency with Fastify's router behavior. This allowed encoded paths to slip through middleware checks while still being recognized by the underlying route handlers.
Attack Vector
The attack vector is network-based and exploits the URL encoding inconsistency. An attacker identifies a protected endpoint (e.g., /admin) and crafts a request using URL-encoded equivalents of path characters. For instance, /admin becomes /%61dmin, /%2561dmin, or other encoding variations. The middleware sees /%61dmin and determines it doesn't match the /admin prefix, allowing the request to pass without executing the middleware. Fastify's router then decodes the path and correctly routes it to the /admin handler, bypassing any authentication or authorization middleware.
// Security patch in lib/engine.js - fix: decode paths before matching (#245)
const reusify = require('reusify')
const { pathToRegexp } = require('path-to-regexp')
+const FindMyWay = require('find-my-way')
function middie (complete) {
const middlewares = []
Source: GitHub Commit Update
The fix introduces find-my-way to ensure consistent path decoding before matching, aligning the middleware engine's behavior with Fastify's router.
Detection Methods for CVE-2026-22031
Indicators of Compromise
- HTTP requests containing URL-encoded path segments targeting protected endpoints (e.g., /%61dmin, /%2Fadmin)
- Successful responses from administrative or protected routes without corresponding authentication middleware execution
- Unusual access patterns to sensitive endpoints from unexpected sources
- Log entries showing encoded paths that decode to protected routes
Detection Strategies
- Implement request logging that captures both raw and decoded URL paths for comparison
- Monitor for requests containing percent-encoded characters in path segments that would normally require authentication
- Deploy web application firewalls (WAF) with rules to detect and alert on URL-encoded path bypass attempts
- Review application access logs for successful requests to protected endpoints without accompanying authentication events
Monitoring Recommendations
- Enable detailed access logging on all Fastify applications using @fastify/middie
- Configure alerting for requests with unusual URL encoding patterns targeting sensitive paths
- Implement anomaly detection for access to administrative endpoints
- Correlate authentication logs with endpoint access logs to identify potential bypass attempts
How to Mitigate CVE-2026-22031
Immediate Actions Required
- Upgrade @fastify/middie to version 9.1.0 or later immediately
- Audit all path-based middleware configurations for sensitive endpoints
- Review recent access logs for signs of exploitation using URL-encoded paths
- Consider implementing additional authentication checks at the route handler level as defense-in-depth
Patch Information
The vulnerability is fixed in @fastify/middie version 9.1.0. The patch introduces proper path decoding using find-my-way before middleware matching, ensuring consistency with Fastify's router behavior. Upgrade using npm:
npm update @fastify/middie
For detailed patch information, see the GitHub Security Advisory, GitHub Pull Request #245, and GitHub Release v9.1.0.
Workarounds
- Implement URL decoding normalization at the application entry point before middleware execution
- Add duplicate authorization checks directly within route handlers for critical endpoints
- Deploy a reverse proxy that normalizes URL-encoded paths before forwarding to the application
- Use route-level hooks (preHandler) for authentication instead of relying solely on path-based middleware
# Configuration example - Upgrade to patched version
npm install @fastify/middie@^9.1.0
# Verify installed version
npm list @fastify/middie
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
