CVE-2026-33804

Published: Apr 16, 2026 Last Modified: Apr 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,4

Source: ce714d77-add3-4f53-aff5-83d477b104bb

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

436

Interpretation Conflict

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Unexpected State Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/middie/security/advisories/GHSA-…

https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6

CVE-2026-33804

Description

Interpretation Conflict

Common Consequences

Applicable Platforms

Iscriviti alla newsletter