CVE-2026-22031
📋 TL;DR
This vulnerability allows attackers to bypass middleware protection in @fastify/middie by using URL-encoded characters in paths. Attackers can access protected endpoints without middleware constraints like authentication or authorization checks. All applications using @fastify/middie versions before 9.1.0 with path-prefixed middleware are affected.
💻 Affected Systems
- @fastify/middie
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of authentication, authorization, rate limiting, and other security middleware, allowing unauthorized access to sensitive endpoints and data.
Likely Case
Unauthorized access to protected API endpoints or admin interfaces that rely on middleware for security controls.
If Mitigated
Limited impact if additional security layers exist beyond middleware, but still exposes potential attack surface.
🎯 Exploit Status
Exploitation requires only URL encoding of path segments. No special tools or complex techniques needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.0
Vendor Advisory: https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
Restart Required: Yes
Instructions:
1. Update package.json to specify @fastify/middie version 9.1.0 or higher. 2. Run 'npm update @fastify/middie' or 'yarn upgrade @fastify/middie'. 3. Restart your Fastify application.
🔧 Temporary Workarounds
URL Decoding Middleware
allAdd custom middleware to decode URL-encoded paths before @fastify/middie processes them
// Add this middleware before other middleware
fastify.addHook('onRequest', (request, reply, done) => {
request.url = decodeURIComponent(request.url);
done();
});
🧯 If You Can't Patch
- Implement additional authentication/authorization checks at the route handler level
- Use web application firewall (WAF) rules to block requests with URL-encoded path segments to protected endpoints
🔍 How to Verify
Check if Vulnerable:
Check if your application uses @fastify/middie with path-prefixed middleware and test accessing protected endpoints with URL-encoded paths (e.g., /%61dmin instead of /admin)Check Version:
npm list @fastify/middieVerify Fix Applied:
After updating to 9.1.0+, test that URL-encoded paths no longer bypass middleware and receive proper middleware responses📡 Detection & Monitoring
Log Indicators:
- Requests to protected endpoints with URL-encoded characters in path segments
- Successful access to protected routes without expected middleware logging
Network Indicators:
- HTTP requests containing % encoded characters in URL paths to sensitive endpoints
SIEM Query:
url.path:*%* AND (url.path:*admin* OR url.path:*api* OR url.path:*secure*)