CVE-2026-33804

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2

Description A middleware bypass exists when the deprecated ignoreDuplicateSlashes option is enabled. The middleware path matching logic fails to account for duplicate slash normalization performed by the router, allowing requests with duplicate leading slashes (e.g., '//admin/secret') to bypass authentication and authorization checks. This issue specifically affects applications using the deprecated top-level configuration style fastify({ ignoreDuplicateSlashes: true }) rather than the routerOptions configuration.

Recommendations Upgrade to @fastify/middie version 9.3.2. As a temporary workaround, migrate from the deprecated top-level ignoreDuplicateSlashes: true configuration to routerOptions: { ignoreDuplicateSlashes: true } or disable the ignoreDuplicateSlashes option.