Listen to this Post
The vulnerability exists because @fastify/middie versions 9.3.1 and earlier fail to properly register inherited middleware on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This occurs due to an incorrect re-prefixing logic when propagating middleware paths to child plugin scopes. Specifically, if a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests. As a result, unauthenticated requests can reach routes defined in child plugin scopes, completely bypassing authentication, authorization, rate limiting, and any other middleware-based security controls. No special request crafting or configuration is required to exploit this flaw. The issue affects all nested (grandchild) scopes as well. This vulnerability class is the same as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in @fastify/express. The patch is available in version 9.3.2, which correctly registers inherited middleware on child plugin engine instances. There are no workarounds; upgrading is the only solution.
Platform: @fastify/middie
Version: <=9.3.1
Vulnerability: Middleware Bypass
Severity: CRITICAL
date: 2026-04-16
Prediction: 2026-04-16
What Undercode Say:
Check installed version npm list @fastify/middie Verify vulnerable version npm view @fastify/[email protected] version Upgrade to patched version npm install @fastify/[email protected] Audit for vulnerabilities npm audit --production
// Vulnerable pattern: parent middleware not inherited
const fastify = require('fastify')();
const middie = require('@fastify/middie');
await fastify.register(middie);
fastify.use('/admin', authMiddleware); // Parent scope
await fastify.register(childPlugin, { prefix: '/api' }); // Child scope bypasses auth
Exploit:
// Exploit: Unauthenticated request to child plugin route
const axios = require('axios');
// This request reaches /api/user without auth check
axios.get('http://localhost:3000/api/user');
Protection from this CVE
Upgrade to @fastify/middie 9.3.2 or later immediately. No workarounds exist.
Impact
Complete bypass of authentication, authorization, and rate limiting for all routes in child plugin scopes. Unauthenticated attackers can access sensitive endpoints (admin panels, user data, APIs) without any special request crafting.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

