GHSA-72c6-fx6q-fr5w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-72c6-fx6q-fr5w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-72c6-fx6q-fr5w/GHSA-72c6-fx6q-fr5w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-72c6-fx6q-fr5w
- Aliases
-
- CVE-2026-6270
- Published
- 2026-04-16T22:29:04Z
- Modified
- 2026-04-16T22:51:47.687201Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
- Details
-
Impact
@fastify/middiev9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in
@fastify/express.Patches
Upgrade to
@fastify/middiev9.3.2 or later.Workarounds
None. Upgrade to the patched version.
- Database specific
{ "github_reviewed_at": "2026-04-16T22:29:04Z", "nvd_published_at": "2026-04-16T14:16:19Z", "cwe_ids": [ "CWE-436" ], "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
npm / @fastify/middie
Package
- Name
- @fastify/middie
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/middie