CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cna.openjsf.org/security-advisories.html	Vendor Advisory
https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88	Exploit Mitigation Vendor Advisory
https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fastify:fastify\/express:*:*:*:*:*:node.js:*:*

History

01 Jun 2026, 15:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:fastify:fastify\/express::::::node.js::*
References	~~() https://cna.openjsf.org/security-advisories.html -~~	() https://cna.openjsf.org/security-advisories.html - Vendor Advisory
References	~~() https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 -~~	() https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 - Exploit, Mitigation, Vendor Advisory
First Time		Fastify Fastify fastify\/express
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

15 Apr 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-15 10:16

Updated : 2026-06-01 15:20

NVD link : CVE-2026-33808

Mitre link : CVE-2026-33808

CVE.ORG link : CVE-2026-33808

JSON object : View

Products Affected

fastify

fastify\/express

CWE

CWE-436

Interpretation Conflict

{"id": "CVE-2026-33808", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-15T10:16:48.453", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.\n\nPatchesUpgrade to @fastify/express v4.0.5 or later."}], "lastModified": "2026-06-01T15:20:30.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify\\/express:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FD8C629A-73A6-46F2-BA53-823A9CE66738", "versionEndExcluding": "4.0.5"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}