@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14181 affects @fastify/middie versions 9.1.0 through 9.3.2 and represents a critical availability vulnerability in Node.js web applications. The vulnerability stems from improper exception handling during URL normalization—when the middie middleware encounters malformed percent-encoded sequences in request paths (such as incomplete escape sequences or truncated multibyte characters), the underlying decoder throws a synchronous exception that bypasses middie's error handling. This unhandled exception propagates up and terminates the entire Node.js process, enabling an unauthenticated attacker to cause denial of service with a single crafted HTTP request. Applications directly calling middie.run on the standalone engine API are particularly vulnerable, making this a critical risk for Fastify deployments that depend on this middleware for request processing.
While MITRE ATT&CK technique mappings are not directly provided for this CVE, Casky's security skills powered by Claude AI would detect attack patterns associated with resource exhaustion and application availability disruption. Practitioners using Casky would observe findings related to improper error handling (CWE-248), which manifests as unhandled exceptions in request processing pipelines. Extended reasoning analysis would identify the attack chain: an attacker sends HTTP requests with deliberately malformed URL encodings → the normalization function lacks defensive decoding logic → synchronous exceptions escape handler boundaries → process termination. Security teams would see suspicious patterns of single-request process crashes in their application logs, correlating with unusual URL patterns containing incomplete percent-encoding or non-UTF8 multibyte sequences, enabling rapid detection and mitigation before widespread availability impact.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14181. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation