Intel

AIKIDO-2026-183302

@fastify/middie is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-14198 Published 3 days ago

91

Critical Risk

This Affects:

JS@fastify/middie
9.1.0 - 9.3.2
Fixed in 9.3.3
Are you affected? Scan for Free

TL;DR

@fastify/middie decodes the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so middleware fails to match a URL that the route handler still matches. When middleware enforces authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler with a crafted URL such as /user/a%2Fb/comments without authentication. The fix decodes nested percent-encoded bytes so the middleware and router agree on the path.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use @fastify/middie middleware on parameterized paths for authentication, authorization, rate limiting, or auditing.

Background info

@fastify/middie is vulnerable to Authorization Bypass in versions 9.1.0 - 9.3.2.

How to fix this

Upgrade the @fastify/middie library to the patch version.