CVE-2026-33808

216.73.217.22

· Published 15/04/2026 10:16 · Modified 15/04/2026 14:16

Labels: CVE-2026-33808 2026-04-15 CVE-2026-33808 CWE-436 ce714d77-add3-4f53-aff5-83d477b104bb

Essential information

Published: 15/04/2026 10:16
Modified: 15/04/2026 14:16
Author: —
Creator: —
CVSS: 9.1 CRITICAL (v3) 9.1 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: ce714d77-add3-4f53-aff5-83d477b104bb
NVD: View on NVD

Affected products (CPE)

Product	CPE
fastify / express	`cpe:2.3:a:fastify:express:<4.0.5:::::::*`