CVE-2026-14181 @fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-encoded paths
@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...