EUVD-2026-22881
GHSA-6hw5-45gm-fj88
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.
PatchesUpgrade to @fastify/express v4.0.5 or later.
AnalysisAI
Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected routes via URL path manipulation. The vulnerability exploits a URL normalization mismatch: Fastify router normalizes URLs (removing duplicate slashes or handling semicolon delimiters based on configuration), but @fastify/express passes the original un-normalized URL to Express middleware, causing path-scoped authentication checks to fail and be skipped entirely. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running @fastify/express and document current versions via dependency scanning (npm audit, SBOM review). Within 7 days: Implement URL normalization validation in application routing logic as interim protection; review authentication middleware logs for suspicious URL patterns. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today