Fastify Middie Bypass: Double Slashes, Double Trouble
A high-severity vulnerability, CVE-2026-33804, has been identified in @fastify/middie versions 9.3.1 and earlier. According to the National Vulnerability Database, this flaw allows for a middleware bypass when an application utilizes the deprecated Fastify ignoreDuplicateSlashes option. The core issue lies in a mismatch between the middleware’s path matching logic and Fastify’s router, which normalizes duplicate slashes.
Essentially, if a request contains duplicate slashes, Fastify’s router processes them differently than the middleware expects. This discrepancy can allow an attacker to craft a request that bypasses authentication and authorization checks implemented by the middleware. The National Vulnerability Database assigns this a CVSS score of 7.4 (High), underscoring the potential for unauthorized access or other malicious activities. It’s a classic case of an edge case in path handling leading to a security headache.
The fix, as reported by the National Vulnerability Database, is to upgrade to @fastify/middie version 9.3.2. For those unable to upgrade immediately, the only workaround is to disable the ignoreDuplicateSlashes option entirely. This isn’t just a minor glitch; it’s a critical logic error that could open up applications to serious compromise if not addressed promptly.
What This Means For You
- If your Fastify application uses `@fastify/middie` and the `ignoreDuplicateSlashes` option, you are vulnerable to authentication bypass. Immediately upgrade to `@fastify/middie` 9.3.2 or disable `ignoreDuplicateSlashes` to prevent unauthorized access.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Web Application Exploitation Attempt — CVE-2026-33804
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33804 | Auth Bypass | @fastify/middie versions 9.3.1 and earlier |
| CVE-2026-33804 | Auth Bypass | Fastify ignoreDuplicateSlashes option enabled |
| CVE-2026-33804 | Auth Bypass | Middleware path matching logic bypass via duplicate slashes |
Related Posts
Hackers Exploit Marimo Flaw, Deploy NKAbuse via Hugging Face
BleepingComputer recently reported that threat actors are actively exploiting a critical vulnerability within Marimo, the reactive Python notebook environment. This exploitation serves as a vector...
Zoho ManageEngine Log360 Hit by Auth Bypass
CVE-2026-3324 — Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
CVE-2026-2840 — Cross-Site Scripting (XSS)
CVE-2026-2840 — The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode...