CVE-2026-2880

CVE-2026-2880 is a high-severity improper input validation vulnerability in @fastify/middie (npm), affecting versions < 9.2.0. It is fixed in 9.2.0.

Summary

A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).

When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

Affected versions

  • Confirmed affected: @fastify/[email protected]
  • All versions prior to the patch are affected.

Patched versions

  • Fixed in: 9.2.0

Details

The issue is caused by canonicalization drift between:

  1. @fastify/middie path matching for app.use('/prefix', ...), and
  2. Fastify/find-my-way route lookup normalization.

Because middleware and router did not always evaluate the same normalized path, auth middleware could be skipped while route resolution still succeeded.

Workarounds

Until patched version is deployed:

  • Avoid relying solely on path-scoped middie guards for auth/authorization.
  • Enforce auth at route-level handlers/hooks after router normalization.
  • Disable risky normalization combinations only if operationally feasible.

Resources

Credits

  • Cristian Vargas (Fluid Attacks Research Team), discovery and report.
  • Oscar Uribe (Fluid Attacks), coordination and disclosure.

Impact

An unauthenticated remote attacker can access endpoints intended to be protected by middleware-based auth/authorization controls by sending specially crafted URL paths (for example, //secret or /secret;foo=bar), depending on router option configuration.

This may lead to unauthorized access to protected functionality and data exposure.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

Affected versions

@fastify/middie (< 9.2.0)

Security releases

@fastify/middie → 9.2.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade @fastify/middie to 9.2.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-2880? CVE-2026-2880 is a high-severity improper input validation vulnerability in @fastify/middie (npm), affecting versions < 9.2.0. It is fixed in 9.2.0. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. Which versions of @fastify/middie are affected by CVE-2026-2880? @fastify/middie (npm) versions < 9.2.0 is affected.
  3. Is there a fix for CVE-2026-2880? Yes. CVE-2026-2880 is fixed in 9.2.0. Upgrade to this version or later.
  4. Is CVE-2026-2880 exploitable, and should I be worried? Whether CVE-2026-2880 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-2880 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-2880? Upgrade @fastify/middie to 9.2.0 or later.

Other vulnerabilities in @fastify/middie

CVE-2026-6270CVE-2026-2880CVE-2026-22031

Stop the waste.
Protect your environment with Kodem.