Intel

AIKIDO-2026-306122

@fastify/middie is vulnerable to Denial of Service

Denial of ServiceCVE-2026-14181 Published 3 days ago

75

High Risk

This Affects:

JS@fastify/middie
9.1.0 - 9.3.2
Fixed in 9.3.3
Are you affected? Scan for Free

TL;DR

@fastify/middie crashes with an uncaught URIError when normalizing request paths that contain malformed percent-encoded sequences such as /%zz, /%, or truncated multibyte sequences like /%E2%82. The exception escapes the standalone engine and terminates the Node.js process, causing an immediate denial of service for all connected clients until restart. This affects applications that call middie.run(req, res) on the standalone engine API directly, since the Fastify plugin path catches the exception in its error handler. The fix catches the URIError and fails the request with a FST_ERR_MIDDIE_MALFORMED_URL 400 error instead of throwing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application calls the standalone engine API (@fastify/middie/lib/engine) directly via middie.run rather than the Fastify plugin path.

Background info

@fastify/middie is vulnerable to Denial of Service in versions 9.1.0 - 9.3.2.

How to fix this

Upgrade the @fastify/middie library to the patch version.