{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33808", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T09:29:46.091Z", "dateUpdated": "2026-04-15T13:10:24.054Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:29:46.091Z"}, "title": "@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "affected": [{"vendor": "fastify", "product": "@fastify/express", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "unaffected", "version": "4.0.5", "versionType": "semver"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/express"}], "descriptions": [{"lang": "en", "value": "Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.\n\nPatchesUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<h3>Impact</h3>@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.<br><br><h3>Patches</h3>Upgrade to @fastify/express v4.0.5 or later."}]}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "FredKSchott", "type": "reporter"}, {"lang": "en", "value": "mcollina", "type": "remediation developer"}, {"lang": "en", "value": "UlisesGascon", "type": "remediation reviewer"}, {"lang": "en", "value": "climba03003", "type": "remediation reviewer"}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:10:17.328470Z", "id": "CVE-2026-33808", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:24.054Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33808", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:10:17.328470Z"}}}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:10.057Z"}}], "cna": {"title": "@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)", "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fastify", "product": "@fastify/express", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "unaffected", "version": "4.0.5", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/express", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.\n\nPatchesUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [{"type": "text/html", "value": "<h3>Impact</h3>@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.<br><br><h3>Patches</h3>Upgrade to @fastify/express v4.0.5 or later.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:29:46.091Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33808", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:10:24.054Z", "dateReserved": "2026-03-23T19:48:48.715Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-15T09:29:46.091Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.\n\nPatchesUpgrade to @fastify/express v4.0.5 or later."}], "id": "CVE-2026-33808", "lastModified": "2026-04-15T14:16:15.783", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-15T10:16:48.453", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.0.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/express", "source": "cna", "vendor": "fastify"}, "product": "fastify-express", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-15T11:27:34.567750+00:00", "value": {"mitigation_remediation": ["Upgrade @fastify/express to version 4.0.5 or later.", "If an upgrade cannot be performed immediately, disable the Fastify router options ignoreDuplicateSlashes and useSemicolonDelimiter to prevent URL normalization gaps.", "Regularly verify the running version and monitor vendor advisories for updates related to this package."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are the fastify:@fastify/express package, specifically all releases prior to version 4.0.5. Organizations that deploy this package and rely on the ignoreDuplicateSlashes or useSemicolonDelimiter router options are at risk. No other vendors are listed in the CNA data as affected.", "description_and_impact": "The vulnerability arises because @fastify/express does not normalize incoming URLs before forwarding them to Express middleware when Fastify router normalization options are enabled. When the Fastify option ignoreDuplicateSlashes or useSemicolonDelimiter is active, the router normalizes the path to select the route, but the original un\u2011normalized URL reaches the Express middleware. Consequently, middlewares that protect routes by inspecting the path are bypassed, allowing an unauthenticated attacker to reach protected endpoints without verification. This flaw directly maps to CWE-436, which describes failure to properly validate or sanitize inputs.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high severity, and the EPSS score is not available, but the lack of availability does not reduce the potential impact. The vulnerability has been verified as not listed in CISA's KEV catalog, meaning that known exploitation in the wild has not been documented. Based on the description, the likely attack vector is via HTTP requests sent to routes that depend on path-based authorization. An attacker merely needs to craft a URL containing duplicate slashes or semicolon delimiters to trigger the bypass. Successful exploitation results in unauthorized access to any resource protected by the Express middleware."}}}}, "created": "2026-04-15T13:49:14.857179+00:00", "updated": "2026-04-15T14:53:06.638990+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-express"]}