Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 npm packages depend on @fastify/express (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.0.5.
DescriptionCVE.org
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.
PatchesUpgrade to @fastify/express v4.0.5 or later.
AnalysisAI
Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected routes via URL path manipulation. The vulnerability exploits a URL normalization mismatch: Fastify router normalizes URLs (removing duplicate slashes or handling semicolon delimiters based on configuration), but @fastify/express passes the original un-normalized URL to Express middleware, causing path-scoped authentication checks to fail and be skipped entirely. No public expl
Technical ContextAI
@fastify/express is a middleware adapter that enables the use of Express-compatible middleware within Fastify applications. Fastify's router supports normalization options including ignoreDuplicateSlashes (treating '/api//protected' as '/api/protected') and useSemicolonDelimiter (treating '/api;protected' as '/api/protected'). The vulnerability (CWE-436: Interpretation Conflict) arises from a classic normalization mismatch between routing layers: Fastify's router performs normalization and successfully matches routes, but the @fastify/express adapter passes the raw, pre-normalization URL to Express middleware functions. Express middleware configured to protect specific paths (e.g., '/api/protected') receives the malformed path ('/api//protected' or '/api;protected') and fails to match, causing the middleware to skip execution entirely. This is a critical architectural flaw in multi-layer web frameworks where different components make inconsistent assumptions about URL canonicalization, a common source of security boundary violations in proxy and middleware chain scenarios.
RemediationAI
Immediately upgrade to @fastify/express version 4.0.5 or later, which resolves the URL normalization mismatch by ensuring Express middleware receives the same normalized URL that Fastify's router processes. For applications using npm, execute 'npm install @fastify/express@latest' or update package.json to specify '@fastify/express': '^4.0.5' and run 'npm install'. If immediate patching is not feasible, implement temporary mitigations: disable ignoreDuplicateSlashes and useSemicolonDelimiter options in Fastify router configuration to eliminate the normalization discrepancy, or migrate authentication logic from Express middleware to Fastify-native onRequest hooks which operate on normalized URLs consistently. Verify patch effectiveness by testing authentication bypass scenarios with duplicate slashes and semicolons in protected route paths. Review application logs for suspicious URL patterns containing '//' or ';' in requests to protected endpoints that may indicate exploitation attempts prior to patching. Consult the official security advisory at https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 for additional implementation guidance and verification procedures.
More in Fastify Express
View allAuthorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthent
Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authoriza
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22881
GHSA-6hw5-45gm-fj88