fix(deps): update dependency @fastify/middie to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/middie	^8.3.0 → ^9.0.0

GitHub Vulnerability Alerts

CVE-2026-22031

Summary

A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how middie matches requests against registered middleware paths.

1. Regex Generation: When fastify.use('/admin', ...) is called, middie uses path-to-regexp to generate a regular expression for the path /admin.
2. Request Matching: For every request, middie executes this regular expression against req.url (or req.originalUrl).
3. The Flaw: req.url in Fastify contains the raw, undecoded path string.
   • The generated regex expects a decoded path (e.g., /admin).
   • If a request is sent to /%61dmin, the regex comparison fails (/^\/admin/ does not match /%61dmin).
   • middie assumes the middleware does not apply and calls next().
4. Route Execution: The request proceeds to Fastify's internal router, which performs URL decoding. It correctly identifies /%61dmin as /admin and executes the corresponding route handler.

Incriminated Source Code:
In the provided middie source:

// ... inside Holder function
if (regexp) {
  const result = regexp.exec(url) // <--- 'url' is undecoded.
  if (result) {
    // ... executes middleware ...
  } else {
    that.done() // <--- Middleware skipped on mismatch
  }
}

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register middie for Express-style middleware support
  await fastify.register(require('@​fastify/middie'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3008 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

1. Normal Request (Blocked):

   curl http://localhost:3008/admin
   # Output: Forbidden: Access to /admin is blocked

2. Bypass Request (Successful):

   curl http://localhost:3008/%61dmin
   # Output: {"message":"Admin panel"}

Impact

• Type: Authentication/Authorization Bypass.
• Affected Components: Applications using @fastify/middie to apply security controls (auth, rate limiting, IP filtering) to specific route prefixes.
• Severity: High. Attackers can trivially bypass critical security middleware to access protected administrative or sensitive endpoints.

---

Release Notes

fastify/middie (@​fastify/middie)

v9.1.0

Compare Source

What's Changed

• build(dependabot): reduce npm updates to monthly by @​Fdawgs in #​228
• chore: rename master to main by @​Fdawgs in #​230
• ci(ci): set job permissions by @​Fdawgs in #​231
• test: migrate from tap to node:test by @​matteo-gobbo in #​229
• chore: remove .taprc by @​Fdawgs in #​232
• ci: set permissions at workflow level by @​Fdawgs in #​233
• ci: restore job level permissions by @​Fdawgs in #​234
• build(deps-dev): bump serve-static from 1.16.2 to 2.2.0 by @​dependabot[bot] in #​235
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in #​236
• chore(license): update date ranges; standardise style by @​Fdawgs in #​237
• build(deps-dev): bump @​types/node from 22.15.34 to 24.0.8 by @​dependabot[bot] in #​238
• chore(tests): removed simple-get by @​ilteoood in #​239
• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​241
• chore(.npmrc): ignore scripts by @​Fdawgs in #​242
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in #​243
• ci(ci): add concurrency config by @​Fdawgs in #​244
• build(deps-dev): bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in #​246
• fix: decode paths before matching by @​kamilmysliwiec in #​245

New Contributors

• @​matteo-gobbo made their first contribution in #​229
• @​ilteoood made their first contribution in #​239
• @​kamilmysliwiec made their first contribution in #​245

Full Changelog: fastify/middie@v9.0.3...v9.1.0

v9.0.3

Compare Source

What's Changed

• build(deps-dev): bump helmet from 7.2.0 to 8.0.0 by @​dependabot in #​217
• refactor(lib/engine): replace var with let by @​Fdawgs in #​218
• build(deps): bump fastify/workflows from 5.0.0 to 5.0.1 by @​dependabot in #​219
• style: remove trailing whitespace by @​Fdawgs in #​220
• docs(readme): update ci badge syntax by @​Fdawgs in #​221
• build(deps-dev): replace standard with neostandard by @​Fdawgs in #​222
• types: use node: prefix for builtins by @​Fdawgs in #​223
• build(deps-dev): bump neostandard from 0.11.9 to 0.12.0 by @​dependabot in #​224
• build(deps-dev): add eslint, peer dep of neostandard by @​Fdawgs in #​225
• refactor: prefix unused params with underscores by @​Fdawgs in #​226
• docs(readme): spelling and grammar fixes by @​Fdawgs in #​227

Full Changelog: fastify/middie@v9.0.2...v9.0.3

v9.0.2

Compare Source

What's Changed

• chore: update fastify to ^5.0.0 by @​Fdawgs in #​216

Full Changelog: fastify/middie@v9.0.1...v9.0.2

v9.0.1

Compare Source

Security

• path-to-regexp is updated to 8.1.0 to prevent ReDOS attack, it is recommended to use the latest version of this package.

What's Changed

• chore: bump path-to-regexp to 8.1.0 by @​climba03003 in #​212

Full Changelog: fastify/middie@v9.0.0...v9.0.1

v9.0.0

Compare Source

What's Changed

• Merge next into master by @​jsumners in #​203
• build(deps): bump @​fastify/error from 3.4.1 to 4.0.0 by @​dependabot in #​205
• build(deps): bump fastify/workflows from 4.1.0 to 4.2.1 by @​dependabot in #​206
• build(deps-dev): bump @​types/node from 20.14.13 to 22.0.0 by @​dependabot in #​208
• build(deps): bump fastify/workflows from 4.2.1 to 5.0.0 by @​dependabot in #​210
• chore: update min fastify version by @​Fdawgs in #​209

New Contributors

• @​jsumners made their first contribution in #​203

Full Changelog: fastify/middie@v8.3.1...v9.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.