CVE-2026-2880
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
Description
## Summary A path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware (for example, `app.use('/secret', auth)`). When Fastify router normalization options are enabled (such as `ignoreDuplicateSlashes`, `useSemicolonDelimiter`, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers. ## Impact An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, `//secret` or `/secret;foo=bar`), depending on router option configuration. This may lead to unauthorized access to protected functionality and data exposure. ## Affected versions - Confirmed affected: `@fastify/[email protected]` - All versions prior to the patch are affected. ## Patched versions - Fixed in: *9.2.0* ## Details The issue is caused by canonicalization drift between: 1. `@fastify/middie` path matching for `app.use('/prefix', ...)`, and 2. Fastify/find-my-way route lookup normalization. Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded. ## Workarounds Until patched version is deployed: - Avoid relying solely on path-scoped middie guards for auth/authorization. - Enforce auth at route-level handlers/hooks after router normalization. - Disable risky normalization combinations only if operationally feasible. ## Resources - Fluid Attacks Disclosure Policy: https://fluidattacks.com/advisories/policy - Fluid Attacks advisory URL: https://fluidattacks.com/advisories/jimenez ## Credits - **Cristian Vargas** (Fluid Attacks Research Team) — discovery and report. - **Oscar Uribe** (Fluid Attacks) — coordination and disclosure.
How to fix CVE-2026-2880
To remediate CVE-2026-2880, upgrade the affected package to a fixed version below.
- —upgrade to 9.2.0 or later
Is CVE-2026-2880 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.