GHSA-V9WW-2J6R-98Q6 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option

Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...

@andreacioni/saml2-nest-lib (=0.0.7), @apps-in-toss/web-framework (>=2.0.0 <=2.6.1) +223 more potentially affected by CVE-2026-2880 via @fastify/middie (>=8.0.0 <=9.1.0)

@fastify/middie NPM version =8.0.0, =2.0.0, =1.1.6, =1.0.5, =0.2.5, =0.0.6, =0.0.1, =0.0.1, =4.33.5, =2.0.7, =0.0.0-canary-20240602190113, =0.0.0-canary-20240602190113, =0.1.0, =0.7.1 and more Source cves: CVE-2026-2880 Source advisory: OSV:GHSA-8P85-9QPW-FWGW...