@fastify/middie is vulnerable to Denial of Service
75
High Risk
@fastify/middie crashes with an uncaught URIError when normalizing request paths that contain malformed percent-encoded sequences such as /%zz, /%, or truncated multibyte sequences like /%E2%82. The exception escapes the standalone engine and terminates the Node.js process, causing an immediate denial of service for all connected clients until restart. This affects applications that call middie.run(req, res) on the standalone engine API directly, since the Fastify plugin path catches the exception in its error handler. The fix catches the URIError and fails the request with a FST_ERR_MIDDIE_MALFORMED_URL 400 error instead of throwing.
You are affected if you are using a version that falls within the vulnerable range and your application calls the standalone engine API (@fastify/middie/lib/engine) directly via middie.run rather than the Fastify plugin path.
@fastify/middie is vulnerable to Denial of Service in versions 9.1.0 - 9.3.2.
Upgrade the @fastify/middie library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant