CVE-2026-2880

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.2.0

Description A flaw exists in @fastify/middie that can lead to authentication or authorization bypass when path-scoped middleware is used, such as with app.use('/secret', auth). This occurs when Fastify router normalization options are enabled, including options like ignoreDuplicateSlashes, useSemicolonDelimiter, and trailing-slash behavior. Specifically, specially crafted request paths may circumvent middleware checks while still reaching protected handlers.

Recommendations Update @fastify/middie to version 9.2.0 or later.