Skip to main content

Fastify Express CVE-2026-33808

| EUVDEUVD-2026-22881 CRITICAL
Interpretation Conflict (CWE-436)
2026-04-15 openjs GHSA-6hw5-45gm-fj88
9.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 12:22 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 10:00 euvd
EUVD-2026-22881
Analysis Generated
Apr 15, 2026 - 10:00 vuln.today
CVE Published
Apr 15, 2026 - 09:29 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @fastify/express (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.0.5.

DescriptionCVE.org

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.

PatchesUpgrade to @fastify/express v4.0.5 or later.

AnalysisAI

Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected routes via URL path manipulation. The vulnerability exploits a URL normalization mismatch: Fastify router normalizes URLs (removing duplicate slashes or handling semicolon delimiters based on configuration), but @fastify/express passes the original un-normalized URL to Express middleware, causing path-scoped authentication checks to fail and be skipped entirely. No public expl

Technical ContextAI

@fastify/express is a middleware adapter that enables the use of Express-compatible middleware within Fastify applications. Fastify's router supports normalization options including ignoreDuplicateSlashes (treating '/api//protected' as '/api/protected') and useSemicolonDelimiter (treating '/api;protected' as '/api/protected'). The vulnerability (CWE-436: Interpretation Conflict) arises from a classic normalization mismatch between routing layers: Fastify's router performs normalization and successfully matches routes, but the @fastify/express adapter passes the raw, pre-normalization URL to Express middleware functions. Express middleware configured to protect specific paths (e.g., '/api/protected') receives the malformed path ('/api//protected' or '/api;protected') and fails to match, causing the middleware to skip execution entirely. This is a critical architectural flaw in multi-layer web frameworks where different components make inconsistent assumptions about URL canonicalization, a common source of security boundary violations in proxy and middleware chain scenarios.

RemediationAI

Immediately upgrade to @fastify/express version 4.0.5 or later, which resolves the URL normalization mismatch by ensuring Express middleware receives the same normalized URL that Fastify's router processes. For applications using npm, execute 'npm install @fastify/express@latest' or update package.json to specify '@fastify/express': '^4.0.5' and run 'npm install'. If immediate patching is not feasible, implement temporary mitigations: disable ignoreDuplicateSlashes and useSemicolonDelimiter options in Fastify router configuration to eliminate the normalization discrepancy, or migrate authentication logic from Express middleware to Fastify-native onRequest hooks which operate on normalized URLs consistently. Verify patch effectiveness by testing authentication bypass scenarios with duplicate slashes and semicolons in protected route paths. Review application logs for suspicious URL patterns containing '//' or ';' in requests to protected endpoints that may indicate exploitation attempts prior to patching. Consult the official security advisory at https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 for additional implementation guidance and verification procedures.

Share

CVE-2026-33808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy