CVE-2026-33808: Authentication Bypass via Path Normalization Drift in @fastify/express
Vulnerability ID: CVE-2026-33808
CVSS Score: 9.1
Published: 2026-04-16
An interpretation conflict (CWE-436) in @fastify/express up to version 4.0.4 allows unauthenticated attackers to bypass path-scoped middleware. By exploiting normalization drift between the Fastify router and the Express middleware engine using duplicate slashes or semicolon delimiters, attackers can access protected endpoints.
TL;DR
Unauthenticated attackers can bypass Express middleware in @fastify/express <= 4.0.4 by exploiting URL parsing discrepancies between the Fastify router and Express middleware engine using duplicate slashes or semicolons.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-436
- Attack Vector: Network
- CVSS v4.0: 9.1
- EPSS Score: 0.11%
- Exploit Status: PoC Available
- CISA KEV: Not Listed
Affected Systems
- @fastify/express plugin in Node.js environments
-
@fastify/express: <= 4.0.4 (Fixed in:
4.0.5)
Code Analysis
Commit: 674020f
Fix path normalization divergence by aligning the middleware execution context with the Fastify instance URL normalization configuration.
Mitigation Strategies
- Dependency Update
- Manual Request Interception
- WAF Rule Implementation
Remediation Steps:
- Identify all projects utilizing @fastify/express via dependency audits (e.g.,
npm auditoryarn audit). - Update the @fastify/express package to version 4.0.5 or higher.
- Verify the update by running integration tests against protected routes using duplicate slashes and semicolon delimiters.
- If patching is delayed, implement a Fastify
onRequesthook to sanitizereq.raw.urlmanually. - Deploy WAF rules to reject HTTP requests containing multiple consecutive slashes or semicolons in the request URI.
References
Read the full report for CVE-2026-33808 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)