@fastify/middie Middleware Authentication Bypass Vulnerability in Child Plugin Scopes

A vulnerability exists in @fastify/middie versions through 9.3.1, where inherited middleware is not properly registered on child plugin instances. This issue allows unauthenticated requests to access routes in child plugins that should be protected by parent-scoped authentication middleware. The vulnerability arises because the middleware paths are incorrectly modified when passed to child plugins, causing the authentication checks to be bypassed. As a result, security controls such as authentication, authorization, and rate limiting are not enforced on affected routes.

Impact

Exploitation of this vulnerability leads to a complete bypass of authentication and authorization checks, allowing unauthenticated requests to access protected routes in child plugin scopes. This also affects any nested child scopes, creating a silent bypass of essential security controls without any errors or warnings.

Reproduction

To reproduce this vulnerability, create a Fastify application and register authentication middleware in the parent scope. Then, register a child plugin with a prefix that overlaps with the parent middleware. The child plugin's routes will bypass the authentication middleware, allowing unauthenticated access.

Remediation

Upgrade to @fastify/middie version 9.3.2 or later.