EUVD-2026-22881

@fastify/express has a middleware authentication bypass via URL normalization gaps duplicate slashes and semicolons...

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

EUVD-2026-22880

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes...

GHSA-HRWM-HGMJ-7P9C @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33807 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33807 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068280...

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of middleware paths in the onRegister function. An attacker can gain unauthorized access to protected routes by exploiting t...

Interpretation Conflict

Overview @fastify/express is an Express compatibility layer for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via improper URL normalization gaps. An attacker can gain unauthorized access to protected routes by manipulating the URL path with duplicate slashes...

@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33808 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33808 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068303...

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

CVE-2026-33807

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...

CVE-2026-33807

CVE-2026-33807 affects @fastify/express v4.0.4 and earlier. A path handling bug in onRegister doubles middleware paths when inherited by child plugins, causing the middleware to never match requests. This results in complete bypass of Express middleware security controls (authentication, authoriz...

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

CVE-2026-33808

CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

PT-2026-33034

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description A path handling bug in the onRegister function causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix matching a middleware...

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...