Skip to content
Verified @fastify/middie encoded slash bypass on parameterized middleware paths
REPRO-2026-00207 Jul 2, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 9m 46s
Tool calls 128
Spend $1.79
$ pruva-verify REPRO-2026-00207
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00207/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

@fastify/middie decodes the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path: middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md0.9 KB
bundle/ticket.json1.3 KB
bundle/repro/harness/harness_inject.js1.6 KB
bundle/repro/harness/harness_server.js1.1 KB
bundle/repro/harness/http_client.js0.7 KB
bundle/repro/runtime_manifest.json1.3 KB
bundle/repro/validation_verdict.json1.0 KB
bundle/logs/reproduction_steps.log3.4 KB
bundle/logs/inject_vuln.log0.3 KB
bundle/logs/inject_fixed.log0.3 KB
bundle/logs/vuln_variant/probe_vuln.json25.2 KB
bundle/logs/vuln_variant/probe_fixed.json25.2 KB
bundle/logs/vuln_variant/method_vuln.json2.5 KB
bundle/logs/vuln_variant/method_fixed.json2.5 KB
bundle/logs/vuln_variant/prefix_vuln.json0.9 KB
bundle/logs/vuln_variant/prefix_fixed.json0.9 KB
bundle/logs/vuln_variant/method_fixed.log2.5 KB
bundle/logs/vuln_variant/method_vuln.log2.5 KB
bundle/logs/vuln_variant/prefix_fixed.log0.9 KB
bundle/logs/vuln_variant/prefix_vuln.log0.9 KB
bundle/logs/vuln_variant/probe_fixed.log25.2 KB
bundle/logs/vuln_variant/probe_vuln.log25.2 KB
bundle/logs/vuln_variant/consolidated_comparison.txt6.9 KB
bundle/logs/vuln_variant/reproduction_steps.log3.1 KB
bundle/vuln_variant/harness/variant_probe.js7.6 KB
bundle/vuln_variant/harness/method_probe.js2.4 KB
bundle/vuln_variant/harness/prefix_probe.js2.2 KB
bundle/vuln_variant/out/probe_vuln.log25.2 KB
bundle/vuln_variant/out/probe_vuln.json32.3 KB
bundle/vuln_variant/out/probe_fixed.log25.2 KB
bundle/vuln_variant/out/probe_fixed.json32.4 KB
bundle/vuln_variant/out/method_vuln.log2.5 KB
bundle/vuln_variant/out/method_fixed.log2.5 KB
bundle/vuln_variant/out/method_vuln.json2.5 KB
bundle/vuln_variant/out/method_fixed.json2.5 KB
bundle/vuln_variant/out/prefix_vuln.log0.9 KB
bundle/vuln_variant/out/prefix_vuln.json0.9 KB
bundle/vuln_variant/out/prefix_fixed.log0.9 KB
bundle/vuln_variant/out/prefix_fixed.json0.9 KB
bundle/vuln_variant/out/comparison.txt6.9 KB
bundle/vuln_variant/harness_gen/consolidated_probe.js7.3 KB
bundle/vuln_variant/runtime_manifest.json1.6 KB
bundle/vuln_variant/patch_analysis.md9.7 KB
bundle/vuln_variant/variant_manifest.json5.2 KB
bundle/vuln_variant/validation_verdict.json2.9 KB
bundle/vuln_variant/source_identity.json2.0 KB
bundle/vuln_variant/root_cause_equivalence.json5.3 KB
bundle/repro/reproduction_steps.sh15.0 KB
bundle/repro/rca_report.md8.5 KB
bundle/vuln_variant/reproduction_steps.sh19.2 KB
bundle/vuln_variant/rca_report.md16.8 KB