@fastify/middie is vulnerable to Authorization Bypass
91
Critical Risk
@fastify/middie decodes the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so middleware fails to match a URL that the route handler still matches. When middleware enforces authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler with a crafted URL such as /user/a%2Fb/comments without authentication. The fix decodes nested percent-encoded bytes so the middleware and router agree on the path.
You are affected if you are using a version that falls within the vulnerable range and you use @fastify/middie middleware on parameterized paths for authentication, authorization, rate limiting, or auditing.
@fastify/middie is vulnerable to Authorization Bypass in versions 9.1.0 - 9.3.2.
Upgrade the @fastify/middie library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant