@fastify/middie Authentication and Authorization Bypass Vulnerability

A vulnerability exists in @fastify/middie versions prior to 9.2.0, allowing authentication and authorization bypass when using path-scoped middleware. This issue arises from a normalization inconsistency between the middleware path matching and Fastify's route lookup, enabling crafted request paths to bypass middleware checks while still being routed to protected handlers. The vulnerability is exploitable when certain Fastify router normalization options are enabled, such as ignoring duplicate slashes or using semicolon delimiters, which can be exploited to access endpoints meant to be protected by middleware-based authentication or authorization controls.

Impact

Exploitation allows unauthenticated remote attackers to access endpoints protected by middleware-based authentication or authorization, potentially leading to unauthorized access to functionality and exposure of sensitive data.

Remediation

Users are advised to update to @fastify/middie version 9.2.0 or later. If the update cannot be applied immediately, it is recommended to avoid relying solely on path-scoped middleware for authentication or authorization. Instead, enforce these controls at the route level after normalization, and disable any risky normalization options if possible.