Uncaught Exception Affecting @fastify/middie package, versions >=9.1.0 <9.3.3


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncaught Exception vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-FASTIFYMIDDIE-17753355
  • published1 Jul 2026
  • disclosed1 Jul 2026
  • creditJvr2022

Introduced: 1 Jul 2026

NewCVE-2026-14181  (opens in a new tab)
CWE-248  (opens in a new tab)

How to fix?

Upgrade @fastify/middie to version 9.3.3 or higher.

Overview

@fastify/middie is a Middleware engine for Fastify

Affected versions of this package are vulnerable to Uncaught Exception in the URL normalization process when handling malformed percent-encoded sequences in incoming request paths. An attacker can cause the Node.js process to terminate unexpectedly by sending specially crafted requests with incomplete percent escapes or truncated multibyte sequences. This is only exploitable if the standalone engine API is used directly, as applications using the Fastify plugin path are not affected.

Workaround

This vulnerability can be mitigated by migrating from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.

CVSS Base Scores

version 4.0
version 3.1