Impact
@fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.
This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in @fastify/express.
Patches
Upgrade to @fastify/middie v9.3.2 or later.
Workarounds
None. Upgrade to the patched version.
References
FredKSchott Reporter
climba03003 Remediation developer
UlisesGascon Remediation developer
Impact
@fastify/middiev9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in
@fastify/express.Patches
Upgrade to
@fastify/middiev9.3.2 or later.Workarounds
None. Upgrade to the patched version.
References
@fastify/express)