@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14198 is a critical path normalization vulnerability affecting @fastify/middie versions 9.1.0 through 9.3.2. The vulnerability exploits a disagreement between the middleware layer and Fastify's router on how encoded slashes (%2F) in path parameters are handled. While middie decodes these characters before matching middleware rules, Fastify's router preserves the encoding during route matching, creating a canonical path mismatch. This allows attackers to bypass authentication, authorization, rate limiting, and auditing middleware by crafting requests with encoded slashes in path parameters. Organizations using Fastify with parameterized routes protected by middie-based security controls are at immediate risk of unauthorized access to sensitive handlers.
Casky's platform would detect attack patterns associated with this vulnerability by analyzing request routing behavior and middleware enforcement gaps. While MITRE ATT&CK techniques aren't formally mapped to this CVE, the underlying attack pattern aligns with T1548 (Abuse Elevation Control Mechanism) and T1036 (Masquerading) through path obfuscation. Practitioners using Casky would observe findings related to inconsistent path normalization between security layers, suspicious requests containing %2F encoding in parameters reaching protected handlers, and authentication/authorization decision points being bypassed. The platform's extended reasoning would correlate middleware evaluation failures with successful route handler access, surfacing the semantic gap in path interpretation that enables the exploit.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14198. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation