@fastify/middie patches path normalization auth bypass in path-scoped middleware (CVE-2026-2880)

What happened

A security advisory for @fastify/middie describes an improper path normalization issue where middleware path matching can disagree with Fastify/find-my-way route normalization. When these differ, path-scoped middleware (e.g., app.use('/secret', auth)) may be skipped while the request is still routed to a protected handler.

Who is impacted

Applications using @fastify/middie with path-scoped middleware protections are impacted, particularly when Fastify router normalization options are enabled (including ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior). The advisory states @fastify/[email protected] is confirmed affected and that all versions prior to the patch are affected. Example bypass paths mentioned include //secret and /secret;foo=bar (depending on router option configuration).

What to do now

• Upgrade @fastify/middie to 9.2.0 (fixed version).
• Until upgraded, avoid relying solely on path-scoped middie middleware for auth/authorization; enforce auth at route-level handlers/hooks after router normalization.
• If operationally feasible, disable risky normalization combinations called out in the advisory.

Additional Information

• Severity: CVSS v4.0 8.2 (High) (vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
• Root cause (as described): canonicalization drift between middie path matching and find-my-way route lookup normalization.
• Identifier: CVE-2026-2880.