PT-2026-54638 · Npm · @Fastify/Middie
Jvr2022
+2
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-14181
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
@fastify/middie versions 9.1.0 through 9.3.2
Description
An issue exists in the standalone engine's URL normalization and decoding process where malformed percent-encoded sequences in incoming request paths are not properly guarded. Specifically, inputs such as truncated multibyte sequences or incomplete percent escapes cause the underlying decoder to throw a synchronous exception. This exception escapes the normalization step and terminates the Node.js process, resulting in a denial of service for all connected clients. This affects applications that call the
middie.run() function directly via the standalone engine API. Applications using the Fastify plugin path are not affected as the framework's error handler catches the exception.Recommendations
Upgrade to @fastify/middie version 9.3.3.
Migrate from the standalone engine API to the Fastify plugin path to allow the framework error handler to catch the exception.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Fastify/Middie