Skip to content

chore(deps): update dependency @fastify/middie to v9.2.0 [security]#429

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-fastify-middie-vulnerability
Apr 16, 2026
Merged

chore(deps): update dependency @fastify/middie to v9.2.0 [security]#429
renovate[bot] merged 1 commit intomainfrom
renovate/npm-fastify-middie-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 16, 2026

This PR contains the following updates:

Package Change Age Confidence
@fastify/middie 9.1.09.2.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-2880

Summary

A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

Impact

An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, //secret or /secret;foo=bar), depending on router option configuration.

This may lead to unauthorized access to protected functionality and data exposure.

Affected versions

  • Confirmed affected: @fastify/middie@9.1.0
  • All versions prior to the patch are affected.

Patched versions

  • Fixed in: 9.2.0

Details

The issue is caused by canonicalization drift between:

  1. @fastify/middie path matching for app.use('/prefix', ...), and
  2. Fastify/find-my-way route lookup normalization.

Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.

Workarounds

Until patched version is deployed:

  • Avoid relying solely on path-scoped middie guards for auth/authorization.
  • Enforce auth at route-level handlers/hooks after router normalization.
  • Disable risky normalization combinations only if operationally feasible.

Resources

Credits

  • Cristian Vargas (Fluid Attacks Research Team) — discovery and report.
  • Oscar Uribe (Fluid Attacks) — coordination and disclosure.
Severity
  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Release Notes

fastify/middie (@​fastify/middie)

v9.2.0

Compare Source

⚠️ Security Release

Fixes GHSA-8p85-9qpw-fwgw

What's Changed

New Contributors

Full Changelog: fastify/middie@v9.1.0...v9.2.0

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) April 16, 2026 00:00
@renovate renovate bot force-pushed the renovate/npm-fastify-middie-vulnerability branch from 0ca8740 to b81d5d0 Compare April 16, 2026 02:46
@renovate renovate bot merged commit 31c5703 into main Apr 16, 2026
4 checks passed
@renovate renovate bot deleted the renovate/npm-fastify-middie-vulnerability branch April 16, 2026 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants