Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33804

CVE-2026-33804: Fastify Middie Auth Bypass Vulnerability

CVE-2026-33804 is an authentication bypass flaw in @fastify/middie that allows attackers to evade middleware checks via duplicate slashes. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-33804 Overview

CVE-2026-33804 is an Authorization Bypass vulnerability affecting @fastify/middie versions 9.3.1 and earlier. The vulnerability allows attackers to bypass middleware authentication and authorization checks when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by Fastify's router, creating a path-based security bypass condition.

Critical Impact

Attackers can bypass authentication and authorization middleware by crafting requests with duplicate slashes, potentially gaining unauthorized access to protected routes and sensitive resources.

Affected Products

  • @fastify/middie versions 9.3.1 and earlier
  • Fastify applications using the deprecated ignoreDuplicateSlashes option
  • Node.js web applications relying on @fastify/middie for middleware integration

Discovery Timeline

  • April 16, 2026 - CVE CVE-2026-33804 published to NVD
  • April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33804

Vulnerability Analysis

This vulnerability is classified under CWE-436 (Interpretation Conflict), where the middleware path matching logic interprets request paths differently than Fastify's core router. When the deprecated ignoreDuplicateSlashes option is enabled, Fastify's router normalizes duplicate slashes in the request path (e.g., //admin//dashboard becomes /admin/dashboard). However, the @fastify/middie middleware evaluates the original, non-normalized path before routing occurs.

This interpretation conflict creates a dangerous security gap where middleware-based authentication and authorization checks can be completely bypassed. An attacker can craft requests with strategically placed duplicate slashes that fail to match protected path patterns in the middleware, while still reaching the intended route handler after Fastify normalizes the path.

Root Cause

The root cause lies in the order of operations and the inconsistent path handling between @fastify/middie and Fastify's core router. When ignoreDuplicateSlashes is enabled, the middleware receives the raw request path with duplicate slashes intact, while the router processes a normalized version. This desynchronization allows paths like //api//protected//resource to slip past middleware rules targeting /api/protected/resource.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with duplicate slashes in the URL path. For example, if middleware is configured to require authentication for requests matching /admin/*, a request to //admin/users or /admin//users may bypass the middleware check entirely while still being routed to the protected /admin/users endpoint by Fastify's router.

The vulnerability mechanism works as follows: middleware path matching checks the raw request path containing duplicate slashes, which does not match the expected pattern. The request proceeds without triggering authentication middleware. Fastify's router then normalizes the path by removing duplicate slashes and routes the request to the intended protected endpoint. See the GitHub Security Advisory GHSA-v9ww-2j6r-98q6 for additional technical details.

Detection Methods for CVE-2026-33804

Indicators of Compromise

  • HTTP request logs showing URLs with unexpected duplicate slashes (e.g., //api//, /admin//resource)
  • Access to protected endpoints from unauthenticated sessions or unauthorized users
  • Web server logs indicating path normalization occurring after middleware processing
  • Authentication middleware logs showing fewer requests than expected for protected routes

Detection Strategies

  • Review application configurations to identify usage of the deprecated ignoreDuplicateSlashes option in Fastify
  • Audit dependency versions to identify @fastify/middie installations at version 9.3.1 or earlier
  • Implement web application firewall (WAF) rules to detect and block requests containing consecutive slashes
  • Monitor authentication and authorization middleware logs for unexpected path patterns

Monitoring Recommendations

  • Enable detailed request logging that captures the original URL path before any normalization
  • Set up alerts for access to sensitive endpoints that bypass expected authentication flows
  • Implement anomaly detection for requests with unusual path patterns reaching protected resources
  • Regularly audit middleware execution logs against actual route handler invocations

How to Mitigate CVE-2026-33804

Immediate Actions Required

  • Upgrade @fastify/middie to version 9.3.2 or later immediately
  • Audit your Fastify configuration and disable the deprecated ignoreDuplicateSlashes option if currently enabled
  • Review access logs for evidence of exploitation attempts using duplicate slash patterns
  • Implement input validation to reject or normalize requests with duplicate slashes at the edge

Patch Information

The vulnerability is fixed in @fastify/middie version 9.3.2. This patch ensures the middleware path matching logic properly accounts for the duplicate slash normalization behavior when ignoreDuplicateSlashes is enabled. Organizations should update their package.json dependencies and run npm update @fastify/middie or the equivalent command for their package manager. For more information, refer to the GitHub Security Advisory GHSA-v9ww-2j6r-98q6 and the OpenJS Foundation Security Advisories.

Workarounds

  • Disable the deprecated ignoreDuplicateSlashes option in Fastify configuration (this is the only vendor-recommended workaround)
  • Implement a pre-handler hook that normalizes paths before middleware evaluation as a temporary measure
  • Deploy a reverse proxy or WAF rule to normalize or reject requests with duplicate slashes before they reach the application
  • Consider implementing route-level authentication checks as an additional layer of defense
bash
# Update @fastify/middie to patched version
npm update @fastify/middie@9.3.2

# Or explicitly install the patched version
npm install @fastify/middie@9.3.2

# Verify installed version
npm list @fastify/middie

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne