{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33804/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-33804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","middie","middleware","bypass","cve-2026-33804","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003e@fastify/middie, a Fastify middleware engine, is vulnerable to a significant security bypass. Specifically, versions 9.3.1 and earlier are susceptible when the deprecated Fastify \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option is enabled. This vulnerability, identified as CVE-2026-33804, arises because the middleware\u0026rsquo;s path matching logic fails to account for the duplicate slash normalization performed by Fastify\u0026rsquo;s router. Consequently, crafted HTTP requests containing duplicate slashes can circumvent middleware authentication and authorization checks, potentially granting unauthorized access to protected resources. This vulnerability only affects applications that are actively using the deprecated \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option. The recommended remediation is to upgrade to @fastify/middie version 9.3.2, which addresses this issue. Alternatively, disabling the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option can serve as a mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fastify application using @fastify/middie version 9.3.1 or earlier with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource. The request URI includes duplicate slashes (e.g., \u003ccode\u003e/api//resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is received by the Fastify server.\u003c/li\u003e\n\u003cli\u003eFastify\u0026rsquo;s router normalizes the duplicate slashes in the URI before passing it to the middleware.\u003c/li\u003e\n\u003cli\u003eThe middleware\u0026rsquo;s path matching logic fails to correctly handle the normalized URI due to the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eAs a result, the request bypasses the intended authentication and/or authorization checks implemented by the middleware.\u003c/li\u003e\n\u003cli\u003eThe request reaches the targeted resource, which is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the resource, potentially leading to data breaches, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized access to sensitive data or functionality within the Fastify application. The severity of the impact depends on the nature of the protected resources and the extent of the attacker\u0026rsquo;s access. This could lead to data breaches, privilege escalation, or other malicious activities. The number of potential victims is dependent on the number of applications using the vulnerable version of @fastify/middie with the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @fastify/middie to version 9.3.2 or later to patch the vulnerability described in CVE-2026-33804.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e option in Fastify configurations as an alternative mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectFastifyMiddieBypassAttempt\u003c/code\u003e to identify potential exploitation attempts based on duplicate slashes in the request URI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T15:17:34Z","date_published":"2026-04-16T15:17:34Z","id":"/briefs/2026-04-fastify-middie-bypass/","summary":"A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.","title":"@fastify/middie Middleware Bypass Vulnerability (CVE-2026-33804)","url":"https://feed.craftedsignal.io/briefs/2026-04-fastify-middie-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33804","version":"https://jsonfeed.org/version/1.1"}