3 matches found
CVE-2026-33808
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...
Improper Authorization
@fastify/express is vulnerable to Improper Authorization. The vulnerability is due to inconsistent URL normalization between Fastify and Express middleware, which allows an unauthenticated attacker to manipulate URL paths using duplicate slashes or semicolon delimiters to bypass path-based...
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...