@fastify/middie

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @fastify/middiepage 1 of 1

CVE-2026-22031HIGHCVSS 8.4EG 8.4✓ Fixed in 9.1.0
2026-01-19
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-…
CVE-2026-2880CRITICALCVSS 9.1EG 9.1✓ Fixed in 9.2.0
2026-02-27
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such a…
CVE-2026-33804HIGHCVSS 7.4EG 7.4✓ Fixed in 9.3.2
2026-04-16
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization perf…
CVE-2026-6270CRITICALCVSS 9.1EG 9.1✓ Fixed in 9.3.2
2026-04-16
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins wi…

Check whether @fastify/middie is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @fastify/middie CVEs against the assets you own.

Start Free Scan →