External risk intelligence

@fastify/middie Path Traversal Vulnerability Allows Middleware Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-14198

The vulnerability affects middleware in a web framework used to build public-facing web applications and APIs. Because this middleware is frequently used to implement security controls like authentication and authorization on internet-accessible routes, the vulnerable surface is commonly exposed to the public internet in typical web deployments.

Fastify\/middie

9.1.0 to before 9.3.3

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in a web framework component used for building applications and APIs, potentially allowing unauthenticated access to protected functions. This issue arises from a discrepancy in how encoded slashes are handled between the framework's routing and its middleware layer, enabling attackers to bypass security controls on parameterized paths. The main concern is confirming relevance and exposure within your Fastify-based services.

  • Attackers can bypass access controls.
  • It affects security layers like authentication.
  • Confirm if your Fastify applications are affected.

Attack Path

How an attacker could exploit the issue

An attacker can bypass security controls by sending a specially crafted URL. This happens because the middleware and the framework's router interpret encoded slashes in different ways, allowing an attacker to reach a protected route handler that the middleware fails to block. This bypass does not require authentication or any special setup.

  • Entry Condition: Attacker can send network requests.
  • Trigger Point: Crafted URL bypasses middleware path matching.
  • Resulting Risk: Unauthorized access to protected handlers.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass security middleware, such as authentication or authorization checks, on parameterized URL paths. This bypass could be achieved by sending a specially crafted URL that includes an encoded slash, which the middleware and the router interpret differently. When middleware is used for critical security decisions on these paths, an attacker could potentially access protected routes without proper credentials or authorization.

  • Protected route handlers.
  • Encoded slashes in URLs bypass middleware.
  • Unauthorized access to sensitive routes.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts applications using `@fastify/middie` for middleware, particularly when handling authentication, authorization, or rate limiting on parameterized paths. Application owners and platform teams are likely responsible for remediation. The first practical step involves identifying all instances of the affected middleware, determining their reachability and criticality, and then coordinating the upgrade or implementing workarounds based on the assessed risk.

  • Application owners should own the issue.
  • Verify middleware usage on parameterized paths.
  • Coordinate @fastify/middie upgrade.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is @fastify/middie and why is it used?

@fastify/middie is a plugin for the Fastify web framework that allows developers to run Express-style middleware. Developers use it to add common functionality, such as security checks, logging, or data processing, into the request lifecycle of their web applications and APIs.

What is the vulnerability in CVE-2026-14198?

This vulnerability is a 'Interpretation Conflict' (CWE-436). It occurs because the middleware and the main router interpret encoded slashes (%2F) in URL parameters differently. This discrepancy causes the middleware to miss the request entirely, allowing traffic to reach protected handlers that should have been blocked by security rules.

How does an attacker trigger this bypass?

An attacker triggers this by sending a crafted URL containing an encoded slash within a parameter field. The bypass happens automatically because the middleware ignores the request while the router processes it. Note that standard, non-parameterized routes are not affected by this specific path-handling mismatch.

Is my application at risk?

If you use @fastify/middie on parameterized paths for security tasks like authentication, authorization, or rate limiting, you are at risk. Halo Surface Signal identifies this as 'Likely' to be exposed to the public internet because these frameworks are standard for building internet-facing web services and APIs.

What are the first steps to address this issue?

First, locate all instances where middleware is applied to parameterized routes. The primary fix is to upgrade to @fastify/middie version 9.3.3. If an immediate upgrade is not possible, move security logic away from middleware and enforce it directly within your route handlers or via Fastify hooks that execute after the router has resolved the request.

References