AIKIDO-2026-10258

TL;DR

Affected versions of this package contain a Fastify middleware bypass due to inconsistent URL normalization and sanitization before route matching and security checks. Improper handling of duplicate slashes, trailing slashes, case sensitivity, and URI decoding may allow crafted requests to be interpreted differently by middleware and the router. An attacker could exploit this by sending specially crafted paths (e.g., using //, mixed casing, encoded characters, or trailing slashes) to bypass authentication or authorization middleware and access protected endpoints. The issue stems from mismatched canonicalization logic that enables path confusion and access control evasion.