CVE-2026-22031: Fastify Middie Middleware Path Bypass
A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.
References
- github.com/advisories/GHSA-cxrg-g7r8-w69p
- github.com/fastify/middie
- github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba
- github.com/fastify/middie/pull/245
- github.com/fastify/middie/releases/tag/v9.1.0
- github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
- nvd.nist.gov/vuln/detail/CVE-2026-22031
Code Behaviors & Features
Detect and mitigate CVE-2026-22031 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →