CVE-2026-6270: Authentication Bypass via Middleware Interpretation Conflict in Fastify Middie

The @fastify/middie and @fastify/fastify-express packages provide backward compatibility for Express and Connect middlewares within the Fastify ecosystem. These modules act as execution engines that intercept incoming HTTP requests and route them through an ordered stack of middleware functions. Fastify relies heavily on an encapsulation model where plugins define isolated execution scopes. This vulnerability compromises the boundary between parent and child scopes, allowing unauthorized access to protected resources.

The core issue is an interpretation conflict, classified under CWE-436. When a Fastify application propagates middleware from a parent scope to a child scope, the internal routing logic mutates the expected execution paths. This structural desynchronization results in the middleware engine failing to match incoming request URIs against its internal filter list. Consequently, security enforcement functions such as authentication validators and role-based access controllers are silently skipped.

The vulnerability manifests through two distinct technical mechanisms. The primary vector involves redundant prefixing during scope inheritance, where child plugins inadvertently double the path strings of inherited middleware. The secondary vector involves discrepancies in top-level path normalization configurations, where Fastify routing processes duplicate slashes differently than the Middie execution engine. Both vectors result in complete authorization bypass for affected routes.

The inheritance mechanism in Fastify plugins dictates that middleware registered in a parent scope must propagate to all initialized child scopes. The @fastify/middie engine manages this by storing registered middleware and their corresponding path prefixes in an internal state array. When a child plugin is registered with a specific route prefix, Fastify invokes the middleware registration hooks to recreate the execution chain within the isolated context.

The primary flaw exists in the double-prefixing logic executed during scope initialization. If a developer mounts an authentication middleware at /admin in the parent scope and subsequently registers a child plugin with the prefix /admin, the inheritance logic incorrectly applies the prefix concatenation twice. The internal path matcher translates the middleware's filter from /admin to /admin/admin. When a client requests /admin/secret, the engine evaluates the path against /admin/admin, fails the match, and drops the middleware from the execution stack entirely.

The secondary flaw involves configuration drift regarding path normalization settings such as ignoreDuplicateSlashes and ignoreTrailingSlash. Prior to version 9.3.2, @fastify/middie extracted these settings strictly from the routerOptions object. If developers applied these normalizations at the top-level Fastify constructor, the core Fastify router would correctly normalize an incoming URI like //secret to /secret. However, the Middie engine would retain the strict, unnormalized evaluation context. The engine compares //secret against the registered /secret middleware path, fails to match, and bypasses the security control while the Fastify router proceeds to execute the underlying handler.

The initial implementation of @fastify/middie handled plugin encapsulation by re-evaluating the .use() method upon scope initialization. This design incorrectly triggered the path prefixing logic a second time when propagating existing middleware from a parent context to a child context. Because the .use() function dynamically recalculates the mount path based on the current context prefix, passing an already-prefixed middleware back into this function corrupted the internal routing table.

The patch introduced in version 9.3.2 modifies the onRegister hook to bypass the decorated .use() method during state propagation. Instead of treating inherited middleware as new registrations, the engine now pushes the configuration directly into the internal kMiddlewares state array. The direct array manipulation ensures that the middleware retains its original, correctly computed path structure regardless of the child scope's prefix.

// Vulnerable implementation snippet
for (const [path, fn] of middlewares) {
  instance[kMiddie].use(path, fn)
  instance[kMiddieHasMiddlewares] = true
}
 
// Patched logic in onRegister
for (const [path, fn] of middlewares) {
  instance[kMiddlewares].push([path, fn])
  if (fn == null) {
    instance[kMiddie].use(path)
  } else {
    instance[kMiddie].use(path, fn)
  }
  instance[kMiddieHasMiddlewares] = true
}

The updated code handles the propagation securely by appending the tuples directly via instance[kMiddlewares].push([path, fn]). Furthermore, a new resolveNormalizationOptions function was introduced to synchronize Fastify's top-level constructor settings with Middie's internal state. This ensures that features like ignoreDuplicateSlashes are applied symmetrically across both the core router and the middleware execution chain.

Exploitation of CVE-2026-6270 requires network access to a Fastify application utilizing vulnerable versions of @fastify/middie or @fastify/fastify-express. The application must deploy security middleware at a parent scope and route sensitive functionality through encapsulated child plugins using the prefix option. No prior authentication or specialized network positioning is required to trigger the path interpretation conflict.

To exploit the double-prefixing vector, an attacker analyzes the target application's route structure to identify protected child plugins. If an endpoint resides at /api/v1/users, the attacker issues a standard HTTP GET request directly to that URI. Because the middleware path mutated to /api/v1/api/v1 during initialization, the execution engine skips the authentication validation logic. The attacker successfully reaches the underlying handler with an unauthenticated session state.

To exploit the normalization discrepancy vector, the attacker manipulates the HTTP request URI by injecting duplicate slashes. If the target endpoint is /admin/dashboard, the attacker constructs the URI //admin/dashboard. Fastify's core router normalizes the URI and routes the request to the correct dashboard controller. The Middie engine processes the raw URI, fails to match it against the registered /admin middleware path, and allows the unauthorized request to proceed.

The vulnerability carries a CVSS v3.1 Base Score of 9.1 (Critical) due to the severity of the authorization bypass. The attack vector is network-based, requires low complexity, and mandates no privileges or user interaction. Successful exploitation completely neutralizes confidentiality and integrity protections for the affected application routes, granting attackers unrestricted access to data and functionality intended strictly for authenticated users.

Concrete consequences depend on the operational context of the bypassed middleware. If the middleware performs JSON Web Token (JWT) validation, the attacker achieves an unauthenticated session hijack. If the middleware enforces Role-Based Access Control (RBAC) validations mapping administrative users to specific endpoints, the attacker gains full privilege escalation to administrative levels. The core application logic executes under the assumption that the request was previously validated and authorized.

The scope of the impact is technically constrained to routes governed by child plugins utilizing identical prefix definitions or applications utilizing top-level path normalization properties. Routes configured entirely within a single scope or those relying exclusively on native Fastify route-level lifecycle hooks (e.g., preHandler) are not affected by this specific middleware propagation flaw.

The primary remediation strategy requires upgrading the @fastify/middie package to version 9.3.2 or later. Organizations utilizing @fastify/fastify-express must review their dependency trees and enforce resolutions to ensure the updated Middie engine is utilized internally. Package managers such as npm or yarn provide the overrides or resolutions configuration directives to force nested dependency updates if the parent package has not published a direct version bump.

In environments where immediate patching is procedurally impossible, development teams must alter their architectural implementations. Security-critical middlewares should be migrated away from Express-style global handlers into Fastify's native lifecycle hooks, specifically utilizing onRequest or preHandler. These native hooks evaluate directly against the normalized Fastify route definitions and do not suffer from the path interpretation conflicts present in the legacy middleware engine.

Flattening the plugin scope tree serves as a temporary, albeit poor, architectural workaround. By registering all protected routes and corresponding middlewares in the global parent scope, the double-prefixing logic is completely bypassed. However, this destroys modularity and increases technical debt, making the native hook migration the preferred operational workaround until the patched binaries are deployed to production.