@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middlew…

CVE-2026-33804 affects @fastify/middie versions 9.3.1 and earlier, allowing middleware bypass when the deprecated ignoreDuplicateSlashes option is enabled. The vulnerability stems from middleware path matching logic that doesn't account for duplicate slash normalization performed by Fastify's router. Attackers can use requests with duplicate slashes to bypass middleware authentication and authorization checks. Only applications using the deprecated ignoreDuplicateSlashes option are affected. The fix is available in @fastify/middie version 9.3.2, with no workarounds available except disabling the problematic option.