@fastify/middie Middleware Bypass Vulnerability via Deprecated ignoreDuplicateSlashes Option
Vulnerability
A middleware bypass vulnerability has been identified in @fastify/middie versions through 9.3.1. This issue arises when the deprecated top-level ignoreDuplicateSlashes option is enabled, as the middleware path matching logic fails to account for duplicate slash normalization performed by Fastify's router. Consequently, requests containing duplicate slashes can bypass authentication and authorization checks. This vulnerability only affects applications using the deprecated top-level configuration style.
Impact
Exploitation of this vulnerability allows for middleware authentication and authorization checks to be bypassed, creating a normalization gap that could be exploited through URLs with duplicate leading slashes.
Remediation
Users are advised to upgrade to @fastify/middie version 9.3.2 or later. Additionally, migrate from the deprecated top-level ignoreDuplicateSlashes option to routerOptions: { ignoreDuplicateSlashes: true }.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.