Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Unrated

Denial of Service in @fastify/middie standalone engine URL normalization

IdentifiersCVE-2026-14181CWE-248

CVE-2026-14181 affects @fastify/middie versions 9.1.0 through 9.3.2. The vulnerability is in the URL normalization step used by the standalone engine API when processing incoming request paths containing malformed percent-encoded sequences. Inputs such as incomplete percent escapes or truncated multibyte sequences cause the underlying decoder to throw a synchronous exception. In the standalone engine path, this exception is not guarded or caught within middie’s normalize step, allowing it to escape and terminate the Node.js process. The issue affects applications that invoke middie.run directly on the standalone engine API. Applications using the Fastify plugin integration are not affected because Fastify’s error handling catches the exception.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote attacker can trigger an immediate denial of service by sending a crafted HTTP request path containing malformed percent-encoded data to a vulnerable application using the standalone engine API. Successful exploitation crashes the Node.js process, interrupting service for all connected and subsequent clients until the process is restarted or otherwise recovered by supervision tooling.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid use of the standalone engine API and migrate to the Fastify plugin path, where Fastify’s error handler catches the exception. As an additional defensive measure, place strict request validation or filtering in front of the application to reject malformed percent-encoded request paths before they reach the vulnerable normalization logic, though this is only a workaround and not a substitute for upgrading.

Remediation

Patch, then assume compromise.

Upgrade @fastify/middie to version 9.3.3 or later, which patches the unhandled exception condition in the standalone engine URL normalization path.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.