CRITICAL🇵🇱 Wersja polska

CVE-2026-33808

CVSS 9.1v4.0pub. 2026-04-15upd. 2026-06-01

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Fastify Fastify\/express

    APP
    Fastify
    < 4.0.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-6556CRITICAL9.1ten sam produkt

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the...

CVE-2026-33807CRITICAL9.1PL ✓ten sam produkt

Pominięcie middleware security w @fastify/express — bypass uwierzytelniania

CVE-2026-14198CRITICAL9.1ten sam vendor

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before ...

CVE-2026-6270CRITICAL9.1PL ✓ten sam vendor

Pominięcie uwierzytelnienia w @fastify/middie — brak dziedziczenia middleware

CVE-2026-33805CRITICAL9.0PL ✓ten sam vendor

Usuwanie nagłówków proxy przez manipulację nagłówkiem Connection w @fastify/reply-from