CVE-2026-33804: @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

April 16, 2026

@fastify/middie v9.3.1 and earlier does not read the deprecated (but still functional) top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify’s router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., //admin/secret).

This only affects applications using the deprecated top-level configuration style (fastify({ ignoreDuplicateSlashes: true })). Applications using routerOptions: { ignoreDuplicateSlashes: true } are not affected.

This is distinct from GHSA-8p85-9qpw-fwgw (CVE-2026-2880), which was patched in v9.2.0.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-33804 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →