Fastify Fastify/middie — known CVE vulnerabilities
Every CVE whose affected-product data names Fastify Fastify/middie, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (6)
CVE-2026-14198 — CVSS 9.1 (critical): @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths…
CVE-2026-2880 — CVSS 9.1 (critical): A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware…
CVE-2026-6270 — CVSS 9.1 (critical): @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify…
CVE-2026-22031 — CVSS 8.4 (high): @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior…
CVE-2026-14181 — CVSS 7.5 (high): @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request…
CVE-2026-33804 — CVSS 7.4 (high): @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is…