CVE-2026-33808: CWE-436: Interpretation Conflict in fastify @fastify/express
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.
AI Analysis
Technical Summary
@fastify/express versions up to 4.0.4 fail to normalize URLs consistently between Fastify routing and Express middleware when certain normalization options are enabled. Specifically, Fastify router normalizes URLs by removing duplicate slashes or interpreting semicolon delimiters, but the original un-normalized URL is forwarded to Express middleware. This discrepancy leads to Express middleware not matching the intended routes and skipping authentication middleware, allowing attackers to bypass path-scoped authentication controls. The vulnerability is tracked as CWE-436 (Interpretation Conflict).
Potential Impact
An unauthenticated attacker can bypass path-scoped authentication middleware by manipulating URL paths using duplicate slashes or semicolon delimiters, gaining unauthorized access to protected routes. The CVSS 4.0 score is 9.1 (critical), indicating high exploitability and impact without requiring privileges or user interaction.
Mitigation Recommendations
Upgrade to @fastify/express version 4.0.5 or later, where this URL normalization inconsistency is resolved. No other mitigation or temporary workaround is documented. Patch status is confirmed by the vendor advisory indicating the fix is available in v4.0.5.
CVE-2026-33808: CWE-436: Interpretation Conflict in fastify @fastify/express
Description
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@fastify/express versions up to 4.0.4 fail to normalize URLs consistently between Fastify routing and Express middleware when certain normalization options are enabled. Specifically, Fastify router normalizes URLs by removing duplicate slashes or interpreting semicolon delimiters, but the original un-normalized URL is forwarded to Express middleware. This discrepancy leads to Express middleware not matching the intended routes and skipping authentication middleware, allowing attackers to bypass path-scoped authentication controls. The vulnerability is tracked as CWE-436 (Interpretation Conflict).
Potential Impact
An unauthenticated attacker can bypass path-scoped authentication middleware by manipulating URL paths using duplicate slashes or semicolon delimiters, gaining unauthorized access to protected routes. The CVSS 4.0 score is 9.1 (critical), indicating high exploitability and impact without requiring privileges or user interaction.
Mitigation Recommendations
Upgrade to @fastify/express version 4.0.5 or later, where this URL normalization inconsistency is resolved. No other mitigation or temporary workaround is documented. Patch status is confirmed by the vendor advisory indicating the fix is available in v4.0.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- openjs
- Date Reserved
- 2026-03-23T19:48:48.715Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69df621082d89c981fd4ed20
Added to database: 4/15/2026, 10:01:52 AM
Last enriched: 4/15/2026, 10:16:49 AM
Last updated: 4/21/2026, 4:43:42 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.