{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2880", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-20T16:50:56.850Z", "datePublished": "2026-02-27T18:25:37.428Z", "dateUpdated": "2026-02-27T18:56:02.979Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/middie", "product": "@fastify/middie", "vendor": "@fastify/middie", "versions": [{"lessThan": "9.2.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in @fastify/middie versions &lt; 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers."}], "value": "A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-02-27T18:25:37.428Z"}, "references": [{"url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw"}], "title": "@fastify/middie has an improper path normalization vulnerability", "x_generator": {"engine": "cve-kit 0.1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:55:36.300396Z", "id": "CVE-2026-2880", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:56:02.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:55:36.300396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:55:51.355Z"}}], "cna": {"title": "@fastify/middie has an improper path normalization vulnerability", "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "@fastify/middie", "product": "@fastify/middie", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "9.2.0", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/middie", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw"}], "x_generator": {"engine": "cve-kit 0.1.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in @fastify/middie versions &lt; 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-02-27T18:25:37.428Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2880", "state": "PUBLISHED", "dateUpdated": "2026-02-27T18:56:02.979Z", "dateReserved": "2026-02-20T16:50:56.850Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-02-27T18:25:37.428Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify\\/middie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B85FBD79-4E31-4FA8-84FD-AE2831855607", "versionEndExcluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers."}, {"lang": "es", "value": "Una vulnerabilidad en las versiones de @fastify/middie anteriores a la 9.2.0 puede resultar en una omisi\u00f3n de autenticaci\u00f3n/autorizaci\u00f3n al usar middleware con \u00e1mbito de ruta (por ejemplo, app.use('/secret', auth)).\n\nCuando las opciones de normalizaci\u00f3n del router de Fastify est\u00e1n habilitadas (como ignoreDuplicateSlashes, useSemicolonDelimiter y el comportamiento relacionado con las barras finales), las rutas de solicitud manipuladas pueden omitir las comprobaciones del middleware mientras siguen siendo enrutadas a manejadores protegidos."}], "id": "CVE-2026-2880", "lastModified": "2026-05-14T15:41:44.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-02-27T19:16:12.807", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,9.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/middie", "source": "cna", "vendor": "@fastify/middie"}, "product": "middie", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-17T13:56:58.665964+00:00", "value": {"mitigation_remediation": ["Upgrade to @fastify/middie 9.2.0 or newer. ", "Disable or remove router normalization features (ignoreDuplicateSlashes, useSemicolonDelimiter, trailing slash handling) that allow path mangling until the upgrade is applied. ", "If the application requires these features, add additional authentication checks at the route handler level or avoid using path\u2011scoped middleware for protected resources."], "summary": {"action": "Immediate Patch", "impact": "Authentication/Authorization bypass via improper path normalization"}, "threat_synthesis": {"affected_systems": "Affected versions are all releases of @fastify/middie earlier than 9.2.0. The product is maintained by OpenJSF and is used by applications built on the Fastify framework. Any deployment that relies on path\u2011scoped middleware with router normalization enabled is susceptible.", "description_and_impact": "The vulnerability is an improper path normalization flaw in @fastify/middie that allows crafted request paths to bypass authentication and authorization checks when path\u2011scoped middleware is used. Attackers can request a protected path such as '/secret' while the middleware is skipped, giving them unintended access. The weakness is classified as CWE\u201120, which reflects improper input validation.", "risk_and_exploitability": "The flaw has a CVSS score of 8.2, indicating high severity, but the EPSS score is less than 1% so exploitation is still considered unlikely at present. It is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector requires an HTTP client that can control the request path; if router normalization options such as ignoreDuplicateSlashes or useSemicolonDelimiter are enabled, a crafted URL can trick the router into handling the request without executing the middleware."}}}}, "created": "2026-03-02T12:05:14.244729+00:00", "updated": "2026-04-17T14:00:15.816023+00:00", "vendors": ["fastify", "fastify$PRODUCT$middie"]}