CVE-2026-33808: @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
@fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors:
- Duplicate slashes (
//admin/dashboard) whenignoreDuplicateSlashes: trueis configured - Semicolon delimiters (
/admin;bypass) whenuseSemicolonDelimiter: trueis configured
In both cases, Fastify’s router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped.
Note: This is distinct from GHSA-g6q3-96cp-5r5m (CVE-2026-22037), which addressed URL percent-encoding bypass and was patched in v4.0.3. These normalization gaps remain in v4.0.4. A similar class of normalization issue was addressed in @fastify/middie via GHSA-8p85-9qpw-fwgw (CVE-2026-2880), but @fastify/express does not include the equivalent fixes.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-33808 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →