PT-2026-33035 · Npm · Fastify-Express
Climba03003
+3
·
Published
2026-04-15
·
Updated
2026-04-16
·
CVE-2026-33808
CVSS v4.0
9.1
Critical
| AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
@fastify/express versions prior to 4.0.5
Description
An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated attacker to bypass path-scoped authentication middleware by manipulating the URL path. Specifically, the bypass occurs via duplicate slashes when
ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In these scenarios, the Fastify router normalizes the URL to match the route, but the original un-normalized URL is passed to Express middleware, causing it to fail to match and be skipped.Recommendations
Upgrade to @fastify/express v4.0.5 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fastify-Express