CVE-2026-22031

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.1.0

Description A security issue exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters. For example, using /%61dmin instead of /admin. The middleware engine fails to match the encoded path, skipping execution, but the Fastify router decodes the path and matches the route handler, potentially allowing access to protected endpoints. The issue occurs because the underlying Fastify router correctly decodes the path while the middleware engine does not. This allows attackers to bypass middleware constraints and access protected endpoints.

Recommendations Update @fastify/middie to version 9.1.0 or later.