CVE-2026-33808
published 2026-04-15CVE-2026-33808: Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.48%
38.0th percentile
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.
PatchesUpgrade to @fastify/express v4.0.5 or later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fastify | express | >= 0 < 4.0.5 | 4.0.5 |
| fastify | fastify_express | < 4.0.5 | 4.0.5 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.1CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
ghsa·2026-04-16·CVSS 8.4
CVE-2026-33808 [HIGH] CWE-436 @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
### Summary
`@fastify/express` v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors:
1. **Duplicate slashes** (`//admin/dashboard`) when `ignoreDuplicateSlashes: true` is configured
2. **Semicolon delimiters** (`/admin;bypass`) when `useSemicolonDelimiter: true` is configured
In both cases, Fastify's router normalizes the URL and matches the route, but `@fastify/express` passes the original un-normalized URL to Express middleware, which fails to match and is skipped.
Note: This is distinct from GHSA-g6q3-96cp-5r
VulDB
fastify express up to 4.0.4 interpretation conflict
vuldb·2026-04-15·CVSS 9.1
CVE-2026-33808 [CRITICAL] fastify express up to 4.0.4 interpretation conflict
A vulnerability categorized as critical has been discovered in fastify express up to 4.0.4. The impacted element is an unknown function. Executing a manipulation can lead to interpretation conflict.
The identification of this vulnerability is CVE-2026-33808. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published