Compliance Impact

CVE-2026-33808 allows unauthenticated attackers to bypass path-scoped authentication middleware by exploiting inconsistent URL normalization in @fastify/express. This leads to unauthorized access to protected routes, including potentially sensitive data or administrative functions.

Such unauthorized access can result in violations of common security requirements found in standards and regulations like GDPR and HIPAA, which mandate strict access controls to protect personal and sensitive information.

Therefore, if an application using @fastify/express v4.0.4 or earlier with affected configurations is exploited, it may fail to comply with these regulations due to compromised confidentiality and integrity of protected data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33808 is a critical authentication bypass vulnerability in the npm package @fastify/express version 4.0.4 and earlier. The issue occurs because @fastify/express fails to properly normalize URLs before passing them to Express middleware when certain Fastify router normalization options are enabled, specifically ignoreDuplicateSlashes or useSemicolonDelimiter.

Fastify's router normalizes URLs by removing duplicate slashes or splitting semicolon parameters for route matching. However, @fastify/express passes the original, unnormalized URL to Express middleware, causing middleware path matching to fail and be skipped.

This allows an unauthenticated attacker to bypass path-scoped authentication middleware by manipulating the URL path with duplicate slashes or semicolon delimiters, gaining unauthorized access to protected routes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to completely bypass authentication middleware that relies on path-based access control in applications using @fastify/express v4.0.4 or earlier with Fastify 5.x and the affected normalization options enabled.

Attackers can access sensitive routes such as admin panels, APIs, or user data without any credentials by crafting URLs with duplicate slashes or semicolon delimiters.

The impact is high confidentiality and integrity loss due to unauthorized access, potentially leading to data breaches, unauthorized actions, and compromise of protected resources.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether URLs with duplicate slashes or semicolon delimiters bypass authentication middleware in your application using @fastify/express v4.0.4 or earlier with Fastify router normalization options enabled.

You can attempt to access protected routes by sending HTTP requests with crafted URLs such as:

• Using duplicate slashes: e.g., //admin/dashboard or ///admin/dashboard
• Using semicolon delimiters: e.g., /admin;bypass or /admin;jsessionid=123

If these requests succeed in accessing protected routes without authentication, it indicates the vulnerability is present.

Example commands using curl to test this might be:

• curl -i http://yourserver//admin/dashboard
• curl -i http://yourserver/admin;bypass

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade @fastify/express to version 4.0.5 or later, where this vulnerability is patched.

This patch ensures that URLs are properly normalized before being passed to Express middleware, preventing bypass via duplicate slashes or semicolon delimiters.

If upgrading immediately is not possible, consider temporarily disabling the Fastify router normalization options `ignoreDuplicateSlashes` and `useSemicolonDelimiter` to prevent the mismatch in URL normalization.

Additionally, review your authentication middleware to ensure it does not rely solely on path-based matching that can be bypassed by URL manipulation.

Useful 0 Not Useful 0