chore(deps): update dependency @fastify/middie to v9.3.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/middie	9.2.0 → 9.3.2

GitHub Vulnerability Alerts

CVE-2026-33804

Impact

@fastify/middie v9.3.1 and earlier does not read the deprecated (but still functional) top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via URLs with duplicate leading slashes (e.g., //admin/secret).

This only affects applications using the deprecated top-level configuration style (fastify({ ignoreDuplicateSlashes: true })). Applications using routerOptions: { ignoreDuplicateSlashes: true } are not affected.

This is distinct from GHSA-8p85-9qpw-fwgw (CVE-2026-2880), which was patched in v9.2.0.

Patches

Upgrade to @fastify/middie >= 9.3.2.

Workarounds

Migrate from deprecated top-level ignoreDuplicateSlashes: true to routerOptions: { ignoreDuplicateSlashes: true }.

Severity

• CVSS Score: 7.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2026-6270

Impact

@fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.

This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.

This is the same vulnerability class as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in @fastify/express.

Patches

Upgrade to @fastify/middie v9.3.2 or later.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

---

Release Notes

fastify/middie (@​fastify/middie)

v9.3.2

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6270 GHSA-72c6-fx6q-fr5w.
This fixes CVE CVE-2026-33804 GHSA-v9ww-2j6r-98q6.

What's Changed

• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​256
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​258
• ci: add lock-threads workflow by @​Fdawgs in #​259

Full Changelog: fastify/middie@v9.3.1...v9.3.2

v9.3.1

Compare Source

What's Changed

• fix: preserve percent-encoding in prefix stripping by @​panva in #​255

Full Changelog: fastify/middie@v9.3.0...v9.3.1

v9.3.0

Compare Source

What's Changed

• chore(license): standardise license notice by @​Fdawgs in #​250
• fix: preserve query string when stripping path prefix by @​panva in #​249
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​253

New Contributors

• @​panva made their first contribution in #​249

Full Changelog: fastify/middie@v9.2.0...v9.3.0

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.