CVE-2026-2880: @fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
References
- fluidattacks.com/advisories/jimenez
- fluidattacks.com/advisories/policy
- github.com/advisories/GHSA-8p85-9qpw-fwgw
- github.com/fastify/middie
- github.com/fastify/middie/commit/140e0dd0359d890fec7e6ea1dcc5134d6bd554d4
- github.com/fastify/middie/releases/tag/v9.2.0
- github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw
- nvd.nist.gov/vuln/detail/CVE-2026-2880
Code Behaviors & Features
Detect and mitigate CVE-2026-2880 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →