{ "schema_version": "1.4.0", "id": "GHSA-8p85-9qpw-fwgw", "modified": "2026-02-28T02:47:17Z", "published": "2026-02-28T02:47:17Z", "aliases": [ "CVE-2026-2880" ], "summary": "@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware", "details": "## Summary\nA path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`).\n\nWhen Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.\n\n## Impact\nAn unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration.\n\nThis may lead to unauthorized access to protected functionality and data exposure.\n\n## Affected versions\n- Confirmed affected: `@fastify/middie@9.1.0`\n- All versions prior to the patch are affected.\n\n## Patched versions\n- Fixed in: *9.2.0*\n\n## Details\nThe issue is caused by canonicalization drift between:\n1. `@fastify/middie` path matching for `app.use('/prefix', ...)`, and\n2. Fastify/find-my-way route lookup normalization.\n\nBecause middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.\n\n## Workarounds\nUntil patched version is deployed:\n- Avoid relying solely on path-scoped middie guards for auth/authorization.\n- Enforce auth at route-level handlers/hooks after router normalization.\n- Disable risky normalization combinations only if operationally feasible.\n\n## Resources\n- Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy\n- Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez\n\n## Credits\n- **Cristian Vargas** (Fluid Attacks Research Team) — discovery and report.\n- **Oscar Uribe** (Fluid Attacks) — coordination and disclosure.", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@fastify/middie" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2880" }, { "type": "WEB", "url": "https://github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4" }, { "type": "WEB", "url": "https://fluidattacks.com/advisories/jimenez" }, { "type": "WEB", "url": "https://fluidattacks.com/advisories/policy" }, { "type": "PACKAGE", "url": "https://github.com/fastify/middie" }, { "type": "WEB", "url": "https://github.com/fastify/middie/releases/tag/v9.2.0" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-28T02:47:17Z", "nvd_published_at": "2026-02-27T19:16:12Z" } }