CVE-2026-33808 Overview
A critical authentication bypass vulnerability exists in @fastify/express v4.0.4 and earlier that allows unauthenticated attackers to access protected routes by exploiting URL normalization inconsistencies between Fastify and Express middleware. The vulnerability stems from the plugin failing to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled.
When ignoreDuplicateSlashes or useSemicolonDelimiter options are enabled in Fastify, the router normalizes incoming URLs before matching routes. However, @fastify/express passes the original un-normalized URL to Express middleware. This mismatch allows attackers to craft malicious URLs with duplicate slashes (//) or semicolon delimiters that bypass path-scoped authentication middleware while still matching protected Fastify routes.
Critical Impact
Unauthenticated attackers can completely bypass authentication middleware protecting sensitive routes, potentially gaining unauthorized access to all protected application functionality.
Affected Products
- @fastify/express v4.0.4 and earlier
- Applications using Fastify with ignoreDuplicateSlashes option enabled
- Applications using Fastify with useSemicolonDelimiter option enabled
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-33808 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-33808
Vulnerability Analysis
This vulnerability is classified as CWE-436 (Interpretation Conflict), where two components interpret the same input differently, leading to a security bypass. The root issue lies in how @fastify/express bridges two routing systems with incompatible URL normalization behaviors.
When a Fastify application enables URL normalization options such as ignoreDuplicateSlashes, the Fastify router internally normalizes URLs like //admin//dashboard to /admin/dashboard before route matching. However, the @fastify/express plugin passes the original, un-normalized URL to any registered Express middleware. Express middleware configured to protect /admin paths will not match the malformed //admin path, causing the authentication check to be completely skipped while Fastify still routes the request to the protected handler.
The attack surface extends to any path-based middleware in Express, including session validation, RBAC checks, rate limiting, and logging middleware scoped to specific routes.
Root Cause
The root cause is a failure to synchronize URL normalization between the Fastify routing layer and the Express middleware layer. The @fastify/express plugin does not apply Fastify's normalization logic to URLs before passing them to Express middleware, creating an interpretation conflict between the two systems.
When Fastify normalizes a URL for route matching but @fastify/express provides the original URL to Express middleware, the middleware operates on a different URL than the one Fastify matched, allowing attackers to craft URLs that evade middleware path matching while still reaching protected route handlers.
Attack Vector
The attack exploits URL path manipulation to bypass authentication middleware. When ignoreDuplicateSlashes is enabled, an attacker can access protected routes by inserting duplicate slashes in the URL path. For example, a request to //api//admin//users bypasses Express middleware configured for /api/admin/users because Express receives the un-normalized path while Fastify matches and routes to the protected handler.
Similarly, when useSemicolonDelimiter is enabled, attackers can use semicolon characters in URL paths to achieve the same bypass effect. The attack requires no authentication and can be executed remotely with a simple HTTP request, making it trivial to exploit once discovered.
For detailed technical information about the exploitation mechanism, see the GitHub Fastify Security Advisory.
Detection Methods for CVE-2026-33808
Indicators of Compromise
- HTTP access logs showing requests with duplicate slashes (//) or semicolons in URL paths to protected endpoints
- Successful responses (HTTP 200) to malformed URL requests that should require authentication
- Access to administrative or protected functionality without corresponding authentication events
- Unusual patterns of requests with path manipulation characters targeting sensitive routes
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing duplicate slashes or semicolons in URL paths
- Monitor application logs for successful access to protected routes without associated authentication tokens or session identifiers
- Deploy anomaly detection for URL patterns that deviate from expected normalized paths
- Create SIEM correlation rules matching successful protected route access with missing authentication audit events
Monitoring Recommendations
- Enable detailed access logging including full request URLs before any normalization
- Monitor for reconnaissance patterns testing various URL path manipulations against authentication-protected endpoints
- Set up alerts for sudden increases in requests containing unusual path characters to sensitive endpoints
- Implement real-time monitoring of authentication bypass attempts through URL manipulation patterns
How to Mitigate CVE-2026-33808
Immediate Actions Required
- Upgrade @fastify/express to v4.0.5 or later immediately
- Audit application logs for evidence of exploitation using malformed URL paths
- Review all Express middleware that relies on URL path matching for security decisions
- Consider temporarily disabling ignoreDuplicateSlashes and useSemicolonDelimiter options if immediate upgrade is not possible
Patch Information
The vulnerability has been addressed in @fastify/express v4.0.5. The patch ensures that URLs are properly normalized before being passed to Express middleware, eliminating the interpretation conflict between Fastify routing and Express middleware path matching.
Upgrade via npm:
npm update @fastify/express
Verify the installed version:
npm list @fastify/express
For more information, see the GitHub Fastify Security Advisory and the OpenJSF Security Advisories.
Workarounds
- Disable ignoreDuplicateSlashes and useSemicolonDelimiter Fastify router options until the patch can be applied
- Implement URL normalization in a custom Fastify hook that runs before Express middleware
- Add an upstream reverse proxy or WAF rule to normalize or reject URLs with duplicate slashes and semicolons before they reach the application
- Move authentication logic from Express middleware to Fastify hooks that operate on normalized URLs
# Example: Update @fastify/express to patched version
npm install @fastify/express@^4.0.5
# Verify installation
npm list @fastify/express
# Expected output: @fastify/express@4.0.5 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
