VDB
KO
CRITICAL 9.1

GHSA-72c6-fx6q-fr5w

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Details

### Impact

`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.

This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.

This is the same vulnerability class as [GHSA-hrwm-hgmj-7p9c](https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c) (CVE-2026-33807) in `@fastify/express`.

### Patches

Upgrade to `@fastify/middie` v9.3.2 or later.

### Workarounds

None. Upgrade to the patched version.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @fastify/middie
Introduced in: 0 Fixed in: 9.3.2
Fix npm install @fastify/middie@9.3.2

References