PT-2026-54638 · Npm · @Fastify/Middie

Jvr2022

+2

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-14181

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions @fastify/middie versions 9.1.0 through 9.3.2
Description An issue exists in the standalone engine's URL normalization and decoding process where malformed percent-encoded sequences in incoming request paths are not properly guarded. Specifically, inputs such as truncated multibyte sequences or incomplete percent escapes cause the underlying decoder to throw a synchronous exception. This exception escapes the normalization step and terminates the Node.js process, resulting in a denial of service for all connected clients. This affects applications that call the middie.run() function directly via the standalone engine API. Applications using the Fastify plugin path are not affected as the framework's error handler catches the exception.
Recommendations Upgrade to @fastify/middie version 9.3.3. Migrate from the standalone engine API to the Fastify plugin path to allow the framework error handler to catch the exception.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14181
GHSA-QCC9-JH8Q-47VH

Affected Products

@Fastify/Middie