@fastify/middie is a middleware plugin for the Fastify web framework that enhances middleware support. The vulnerability identified as CVE-2026-22031 (CWE-177) involves improper handling of URL encoding in middleware path prefixes. Specifically, when middleware is registered with a path prefix (e.g., /admin), an attacker can bypass middleware protections by using URL-encoded characters (e.g., /%61dmin, where %61 is 'a'). The middleware engine fails to decode these encoded characters and thus does not execute the middleware for the request. However, the Fastify router itself correctly decodes the URL and matches the intended route handler, which means the request reaches the protected endpoint without the middleware constraints being applied. This discrepancy creates an access control bypass, allowing attackers to reach endpoints that should be protected by middleware logic such as authentication, authorization, or input validation. The vulnerability affects all versions of @fastify/middie prior to 9.1.0, with no known exploits in the wild reported yet. The CVSS v3.1 score is 8.4 (high), reflecting the network attack vector, low privileges required, no user interaction, and a significant impact on confidentiality and integrity with limited availability impact. The root cause is the inconsistent decoding of URL paths between middleware matching and route matching components. The fix in version 9.1.0 ensures consistent decoding and matching behavior, preventing bypasses via encoded URLs.

For European organizations, this vulnerability poses a significant risk to web applications built on Fastify using the vulnerable @fastify/middie versions. Attackers can bypass middleware protections such as authentication and authorization, gaining unauthorized access to sensitive endpoints. This can lead to data breaches, unauthorized data modification, and potential lateral movement within internal systems. Given Fastify's popularity for building performant Node.js web services, organizations in sectors like finance, healthcare, e-commerce, and government services are at risk if they rely on this middleware for security controls. The impact extends to confidentiality and integrity of data, with possible regulatory consequences under GDPR if personal data is exposed. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing the attack surface. Although no known exploits are reported yet, the ease of exploitation and high impact necessitate urgent remediation to prevent potential attacks.

European organizations should immediately upgrade @fastify/middie to version 9.1.0 or later to eliminate the vulnerability. Until upgrading is possible, organizations should implement strict input validation and normalization on incoming URLs to detect and reject encoded path prefixes that could bypass middleware. Security teams should audit all middleware registrations to ensure no critical security controls rely solely on path prefix matching vulnerable to encoding bypass. Additionally, implementing defense-in-depth by enforcing authentication and authorization checks at the route handler level, not just middleware, can reduce risk. Web application firewalls (WAFs) can be configured to detect and block suspicious URL-encoded requests targeting protected paths. Continuous monitoring and logging of unusual URL patterns can help detect exploitation attempts. Finally, developers should review and test middleware and routing logic for consistent URL decoding behavior to prevent similar issues.