A critical authentication bypass in @fastify/middie allows unauthenticated requests to reach protected routes in child plugin scopes.

The vulnerability stems from the improper registration of inherited middleware when dealing with child plugin engine instances. This logic error allows requests to bypass configured authentication checks, effectively rendering security controls on child routes ineffective.

This flaw carries a CVSS score of 9.1, indicating a high risk of unauthorized access to sensitive application data and administrative functions. The bypass of authentication mechanisms may lead to unauthorized data exposure and potential manipulation of application states.

Immediate Action: Update @fastify/middie to version 9.3.2 or later.

Proactive Monitoring: Monitor server-side access logs for unexpected traffic patterns reaching child plugin routes that should otherwise be restricted.

Compensating Controls: Implement global authentication middleware as a temporary measure if immediate patching is not possible.

Public Exploit Available: Unknown

Security teams must prioritize this update to ensure that all plugin scopes correctly enforce authentication. There are no known workarounds, making the software update the only viable path to remediation.