CVE-2026-14198

Source
https://cve.org/CVERecord?id=CVE-2026-14198
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14198.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14198
Aliases
  • GHSA-2v46-jxjm-7q3v
Published
2026-07-01T11:29:20.435Z
Modified
2026-07-08T07:01:36.425658616Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values
Details

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14198.json",
    "cna_assigner": "openjs",
    "cwe_ids": [
        "CWE-436"
    ]
}
References

Affected packages

Git / github.com/fastify/middie

Affected ranges

Type
GIT
Repo
https://github.com/fastify/middie
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:fastify:fastify\\/middie:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "9.1.0"
        },
        {
            "fixed": "9.3.3"
        }
    ]
}

Affected versions

v9.*
v9.1.0
v9.2.0
v9.3.0
v9.3.1
v9.3.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14198.json"