{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@fastify/middie/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-2880"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fastify","@fastify/middie"],"_cs_severities":["high"],"_cs_tags":["fastify","middie","middleware-bypass","vulnerability","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eA vulnerability exists in the \u003ccode\u003e@fastify/middie\u003c/code\u003e package, a middleware engine for the Fastify web framework. Specifically, versions 9.3.1 and earlier fail to properly handle the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option. This option, intended to normalize duplicate slashes in URLs, is only read from the \u003ccode\u003erouterOptions\u003c/code\u003e configuration, leading to a discrepancy where Fastify's router normalizes slashes but middie does not.  The vulnerability allows attackers to bypass middleware protections by crafting URLs with duplicate leading slashes (e.g., \u003ccode\u003e//admin/secret\u003c/code\u003e). This only impacts applications still using the deprecated top-level configuration style (\u003ccode\u003efastify({ ignoreDuplicateSlashes: true })\u003c/code\u003e). This issue is distinct from CVE-2026-2880 (GHSA-8p85-9qpw-fwgw) and was addressed in version 9.2.0. Defenders should prioritize patching or migrating to the supported \u003ccode\u003erouterOptions\u003c/code\u003e configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Fastify application using \u003ccode\u003e@fastify/middie\u003c/code\u003e version 9.3.1 or earlier and employing the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request with a URL containing duplicate leading slashes (e.g., \u003ccode\u003e//admin/secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFastify's router normalizes the URL, removing the duplicate slashes before routing.\u003c/li\u003e\n\u003cli\u003eHowever, \u003ccode\u003e@fastify/middie\u003c/code\u003e does not properly handle the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option from the top-level configuration.\u003c/li\u003e\n\u003cli\u003eDue to the normalization gap, the request bypasses middleware intended to protect the \u003ccode\u003e/admin/secret\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe request reaches the vulnerable route, potentially exposing sensitive information or functionality.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without proper authentication or authorization checks due to the bypassed middleware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to protected resources, leading to data leakage or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive resources within affected Fastify applications. The number of victims depends on the prevalence of the vulnerable configuration. Sectors particularly at risk include organizations using Fastify for web application development without adhering to security best practices.  If the attack succeeds, attackers could gain access to administrative interfaces, confidential data, or other protected resources, potentially leading to data breaches, service disruption, or other adverse outcomes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@fastify/middie\u003c/code\u003e version 9.3.2 or later to remediate the vulnerability (reference: Affected Packages).\u003c/li\u003e\n\u003cli\u003eMigrate from the deprecated top-level \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e configuration to \u003ccode\u003erouterOptions: { ignoreDuplicateSlashes: true }\u003c/code\u003e (reference: Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious URL Access via Duplicate Slashes\u0026quot; to identify potential exploitation attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with URLs containing duplicate leading slashes targeting sensitive endpoints (reference: webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/","summary":"`@fastify/middie` versions 9.3.1 and earlier are vulnerable to middleware bypass via URLs with duplicate leading slashes due to improper handling of the deprecated `ignoreDuplicateSlashes` option, potentially allowing unauthorized access to protected resources.","title":"@fastify/middie Middleware Bypass Vulnerability via Duplicate Slashes","url":"https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - @Fastify/Middie","version":"https://jsonfeed.org/version/1.1"}