CVE-2026-14198: @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values
@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 9.3.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authorization bypass vulnerability affects @fastify/middie versions 9.1.0 through 9.3.2, a middleware compatibility layer for the Fastify Node.js web framework. The flaw is reachable over the network with no authentication required: an attacker sends a single HTTP request containing a percent-encoded slash (%2F) in a path parameter, causing the middleware layer to skip security checks that the underlying route handler still executes. Successful exploitation lets an attacker read protected resources or tamper with data that middleware-enforced authentication, authorization, or rate limiting was meant to guard. A patched-image rebuild at version 9.3.3 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-14198 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle @fastify/middie 9.1.0 through 9.3.2.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.1 (Critical) and weighting findings against each environment's compliance policy before routing alerts to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild targeting @fastify/middie 9.3.3 becomes available on HarborGuard once an affected image is identified; for customers with auto-remediation enabled, the platform rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Fastify service over the network; no local or physical access is needed, and the crafted request can be sent from anywhere the service is exposed.
- AuthenticationNot required
No credentials or session are needed; the bypass works on unauthenticated HTTP requests across all methods.
- Victim interactionNot required
No user action is required; the attacker sends the crafted URL directly to the server without any social-engineering step.
- Attack complexityDetail
Exploitation is reliable and condition-free: sending a single request with %2F in the path parameter position is sufficient, with no timing dependency or environmental prerequisite.
Blast Radius
- An attacker bypasses middleware-enforced authentication or authorization checks and reaches route handlers that were intended to be protected.
- Protected data exposed to the handler (session tokens, user records, configuration endpoints) becomes readable without presenting valid credentials.
- An attacker can issue write or delete operations through protected handlers, modifying persisted data that authorization middleware was meant to block.
- Rate-limiting and auditing middleware is also bypassed, enabling unthrottled requests and leaving no audit trail for the access.
How HarborGuard Handles This
Available on HarborGuard: images containing @fastify/middie 9.1.0 through 9.3.2 are matched against this CVE within minutes of advisory ingestion, including images built internally. Where compliance policy permits, the platform can rebuild affected images at @fastify/middie 9.3.3 automatically; for customers who opt into auto-remediation, this triggers a full rebuild, a regression-test run, and a pull request opened against affected workloads, with a median time to merged patch PR of around 90 minutes for critical-severity issues. For teams that cannot immediately upgrade, HarborGuard surfaces compensating-control guidance: avoid parameterized middleware paths for security decisions, and enforce authentication at the route handler level or via a Fastify hook that runs after the router resolves the request, which eliminates the path-decoding disagreement that the bypass exploits.
Fix available
- @fastify/middie / @fastify/middie< 9.3.3 (from 9.1.0)Fixed in 9.3.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N