<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fastify - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/fastify/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/fastify/feed.xml" rel="self" type="application/rss+xml"/><item><title>@fastify/middie Middleware Bypass Vulnerability via Duplicate Slashes</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/</link><pubDate>Mon, 29 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-fastify-middie-bypass/</guid><description>`@fastify/middie` versions 9.3.1 and earlier are vulnerable to middleware bypass via URLs with duplicate leading slashes due to improper handling of the deprecated `ignoreDuplicateSlashes` option, potentially allowing unauthorized access to protected resources.</description><content:encoded><![CDATA[<p>A vulnerability exists in the <code>@fastify/middie</code> package, a middleware engine for the Fastify web framework. Specifically, versions 9.3.1 and earlier fail to properly handle the deprecated top-level <code>ignoreDuplicateSlashes</code> option. This option, intended to normalize duplicate slashes in URLs, is only read from the <code>routerOptions</code> configuration, leading to a discrepancy where Fastify's router normalizes slashes but middie does not.  The vulnerability allows attackers to bypass middleware protections by crafting URLs with duplicate leading slashes (e.g., <code>//admin/secret</code>). This only impacts applications still using the deprecated top-level configuration style (<code>fastify({ ignoreDuplicateSlashes: true })</code>). This issue is distinct from CVE-2026-2880 (GHSA-8p85-9qpw-fwgw) and was addressed in version 9.2.0. Defenders should prioritize patching or migrating to the supported <code>routerOptions</code> configuration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Fastify application using <code>@fastify/middie</code> version 9.3.1 or earlier and employing the deprecated top-level <code>ignoreDuplicateSlashes</code> option.</li>
<li>The attacker crafts a malicious HTTP request with a URL containing duplicate leading slashes (e.g., <code>//admin/secret</code>).</li>
<li>Fastify's router normalizes the URL, removing the duplicate slashes before routing.</li>
<li>However, <code>@fastify/middie</code> does not properly handle the <code>ignoreDuplicateSlashes</code> option from the top-level configuration.</li>
<li>Due to the normalization gap, the request bypasses middleware intended to protect the <code>/admin/secret</code> route.</li>
<li>The request reaches the vulnerable route, potentially exposing sensitive information or functionality.</li>
<li>The application processes the request without proper authentication or authorization checks due to the bypassed middleware.</li>
<li>The attacker gains unauthorized access to protected resources, leading to data leakage or privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to unauthorized access to sensitive resources within affected Fastify applications. The number of victims depends on the prevalence of the vulnerable configuration. Sectors particularly at risk include organizations using Fastify for web application development without adhering to security best practices.  If the attack succeeds, attackers could gain access to administrative interfaces, confidential data, or other protected resources, potentially leading to data breaches, service disruption, or other adverse outcomes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to <code>@fastify/middie</code> version 9.3.2 or later to remediate the vulnerability (reference: Affected Packages).</li>
<li>Migrate from the deprecated top-level <code>ignoreDuplicateSlashes: true</code> configuration to <code>routerOptions: { ignoreDuplicateSlashes: true }</code> (reference: Workarounds).</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious URL Access via Duplicate Slashes&quot; to identify potential exploitation attempts (reference: rules).</li>
<li>Monitor web server logs for HTTP requests with URLs containing duplicate leading slashes targeting sensitive endpoints (reference: webserver logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>fastify</category><category>middie</category><category>middleware-bypass</category><category>vulnerability</category><category>defense-evasion</category></item></channel></rss>