Description
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.

PatchesUpgrade to @fastify/express v4.0.5 or later.
Published: 2026-04-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises because @fastify/express does not normalize incoming URLs before forwarding them to Express middleware when Fastify router normalization options are enabled. When the Fastify option ignoreDuplicateSlashes or useSemicolonDelimiter is active, the router normalizes the path to select the route, but the original un‑normalized URL reaches the Express middleware. Consequently, middlewares that protect routes by inspecting the path are bypassed, allowing an unauthenticated attacker to reach protected endpoints without verification. This flaw directly maps to CWE-436, which describes failure to properly validate or sanitize inputs.

Affected Systems

Vendors and products affected are the fastify:@fastify/express package, specifically all releases prior to version 4.0.5. Organizations that deploy this package and rely on the ignoreDuplicateSlashes or useSemicolonDelimiter router options are at risk. No other vendors are listed in the CNA data as affected.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity, and the EPSS score is not available, but the lack of availability does not reduce the potential impact. The vulnerability has been verified as not listed in CISA's KEV catalog, meaning that known exploitation in the wild has not been documented. Based on the description, the likely attack vector is via HTTP requests sent to routes that depend on path-based authorization. An attacker merely needs to craft a URL containing duplicate slashes or semicolon delimiters to trigger the bypass. Successful exploitation results in unauthorized access to any resource protected by the Express middleware.

Generated by OpenCVE AI on April 15, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @fastify/express to version 4.0.5 or later.
  • If an upgrade cannot be performed immediately, disable the Fastify router options ignoreDuplicateSlashes and useSemicolonDelimiter to prevent URL normalization gaps.
  • Regularly verify the running version and monitor vendor advisories for updates related to this package.

Generated by OpenCVE AI on April 15, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify-express
Vendors & Products Fastify
Fastify fastify-express

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.
Title @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Weaknesses CWE-436
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fastify Fastify-express
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-04-15T13:10:24.054Z

Reserved: 2026-03-23T19:48:48.715Z

Link: CVE-2026-33808

cve-icon Vulnrichment

Updated: 2026-04-15T13:10:10.057Z

cve-icon NVD

Status : Received

Published: 2026-04-15T10:16:48.453

Modified: 2026-04-15T14:16:15.783

Link: CVE-2026-33808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:06Z

Weaknesses