Fastify middie patches path normalization auth bypass

TL;DR — A path normalization mismatch in @fastify/middie can silently skip path-scoped auth middleware, letting requests reach protected routes without authentication.

What happened

@fastify/middie is a Fastify plugin that adds Express-compatible middleware support to the Fastify web framework for Node.js. A security advisory for @fastify/middie describes an improper path normalization issue where middleware path matching can disagree with Fastify/find-my-way route normalization. When these differ, path-scoped middleware (e.g., app.use('/secret', auth)) may be skipped while the request is still routed to a protected handler.

Path normalization bugs in web frameworks are a recurring class of auth bypass — this is the same category of issue that has affected Express, Koa, and Spring in recent years, and is worth auditing for in any middleware-based auth architecture.

Who is impacted

• Applications using @fastify/middie with path-scoped middleware protections, particularly when Fastify router options like ignoreDuplicateSlashes or useSemicolonDelimiter are enabled.
• All versions prior to 9.2.0 are affected. Example bypass paths include //secret and /secret;foo=bar.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Until patched, avoid relying solely on path-scoped middie middleware for auth — enforce auth at route-level handlers/hooks after router normalization.
• If feasible, disable risky normalization combinations called out in the advisory.

Additional Information

Severity is CVSS v4.0 8.2 (High). Root cause: canonicalization drift between middie path matching and find-my-way route lookup normalization.