@fastify/middie URL-Encoding Vulnerability Allows Middleware Bypass
Vulnerability
A vulnerability in @fastify/middie prior to version 9.1.0 allows middleware registered with specific path prefixes to be bypassed using URL-encoded characters. The middleware engine fails to match the encoded paths, skipping execution, while the Fastify router correctly decodes the paths and matches the route handlers. This flaw enables access to protected endpoints without the intended middleware constraints.
Impact
Exploiting this vulnerability bypasses middleware protections, such as authentication or authorization checks, allowing unauthorized access to sensitive endpoints.
Reproduction
To reproduce this vulnerability, register middleware on a Fastify route prefix, such as '/admin'. Then, send a request to an encoded path that corresponds to the middleware prefix, like '/%61dmin'. The middleware will be skipped, and the request will be processed by the route handler, granting access to the protected resource.
Remediation
Users can update to @fastify/middie version 9.1.0 or later, where this vulnerability is fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.