CVE-2026-33808: Authentication Bypass via Path Normalization Drift in @fastify/express

The vulnerability stems from an architectural divergence between Fastify's native routing engine and the Express middleware compatibility layer. Fastify utilizes the find-my-way library for route resolution, which offers configurable URL normalization features. When configurations such as ignoreDuplicateSlashes or useSemicolonDelimiter are enabled, Fastify actively mutates the internal representation of the incoming request path before evaluating it against the routing table. This design ensures that non-standard but functionally equivalent paths resolve to the correct handler.

Conversely, the @fastify/express plugin integrates Express-style middleware into the Fastify request lifecycle by wrapping the execution pipeline. This wrapper relies on the path-to-regexp library to determine if a specific middleware function should execute for a given path prefix. Prior to version 4.0.5, this compatibility layer extracted the request path directly from the raw HTTP request object, applying only minimal URL decoding. It did not query the Fastify instance for its specific path normalization configurations.

This discrepancy creates an interpretation conflict, classified under CWE-436, where the same input yields distinct parsing results across two interconnected components. The Fastify router normalizes the path and accurately identifies the target route handler. Simultaneously, the Express middleware evaluator processes the raw, un-normalized path. Because the raw path fails to match the strict regular expression generated for the protected route prefix, the middleware pipeline is bypassed entirely, proceeding directly to the route handler.

The fundamental flaw lies in the synchronization failure between the core framework's routing state and the plugin's middleware execution context. Fastify allows developers to instantiate the server with specific boolean flags, namely ignoreDuplicateSlashes and useSemicolonDelimiter. When a client issues a request with duplicate slashes (e.g., //admin/dashboard), the Fastify core intercepts this at the transport layer, normalizes the string to /admin/dashboard, and successfully maps it to the registered GET handler for that specific endpoint.

The Express compatibility layer operates independently during the middleware execution phase. It maps registered middleware functions to specific path prefixes using Express semantics. When a middleware function is registered via instance.use('/admin', authMiddleware), the plugin uses path-to-regexp to compile the string /admin into a strict regular expression, typically resembling /^\/admin\/?(?=\/|$)/i. This regular expression is then evaluated against the incoming request path to determine if the middleware should run.

The critical error in @fastify/express versions 4.0.4 and earlier is that the evaluation string passed to the regular expression is derived from the un-normalized req.raw.url. The evaluation engine compares the raw input //admin/dashboard against the compiled regex /^\/admin\/?(?=\/|$)/i. The regular expression requires a single leading slash, causing the match to fail. The plugin subsequently concludes that the request path does not fall under the /admin scope, skips the authMiddleware execution, and passes control back to Fastify, which then executes the protected handler based on its own normalized route resolution.

An analysis of the patch implemented in version 4.0.5 (Commit 674020f27ddc1d1709e4369cb40158d4c958d42b) reveals the specific mechanism used to resolve the interpretation conflict. The vulnerable implementation failed to account for Fastify server configurations, passing essentially raw request data into the Express middleware stack. The patched version introduces explicit synchronization logic within the request enhancement phase.

The core of the fix is the introduction of the normalizeUrl and removeDuplicateSlashes functions. These functions manually recreate Fastify's normalization behavior within the plugin's execution scope before invoking the middleware pipeline. The normalizeUrl function accepts the raw URL and the Fastify instance options as arguments.

// Normalized logic added in v4.0.5
function normalizeUrl (url, options) {
  const { ignoreDuplicateSlashes, useSemicolonDelimiter } = options
  const { path, query } = splitPathAndQuery(url, useSemicolonDelimiter)
  const normalizedPath = ignoreDuplicateSlashes ? removeDuplicateSlashes(path) : path
  return normalizedPath + query
}
 
function removeDuplicateSlashes (path) {
  return path.replace(/\/{2,}/g, '/')
}

By retrieving the ignoreDuplicateSlashes and useSemicolonDelimiter properties directly from the active Fastify instance configuration, the plugin ensures parity in path interpretation. If duplicate slashes are ignored by the router, they are also stripped from the path passed to path-to-regexp. This architectural correction guarantees that the Express middleware engine operates on the exact same string representation that the Fastify router uses for endpoint resolution, effectively eliminating the CWE-436 interpretation conflict.

Exploitation of CVE-2026-33808 requires no specialized tools and can be executed via standard HTTP requests. The primary prerequisite is that the target application must utilize @fastify/express to protect Fastify routes and must be configured with either ignoreDuplicateSlashes: true or useSemicolonDelimiter: true. If these conditions are met, an unauthenticated attacker can construct a payload simply by altering the URI structure in a manner that triggers the parser divergence.

The attack vector relies on manipulating the path prefix where the target middleware is mounted. If an authentication middleware is mounted at /admin, the attacker modifies the request path to //admin/dashboard. The Express middleware engine parses //admin and fails to match the prefix, while the Fastify router strips the duplicate slash and routes the request to /admin/dashboard.

> [!NOTE] > The semicolon delimiter attack vector operates under identical mechanics. A request directed to /admin;bypass fails the Express middleware regex match for /admin, but Fastify truncates the path at the semicolon, resolving the route as /admin and executing the handler.

The official proof-of-concept code provided in the patch commit explicitly demonstrates this behavior. A simulated server registers an authorization middleware on the /admin path that rejects requests lacking a specific header. When a fetch request is executed against the server address appended with //admin/dashboard, the response status code returned is 200 OK rather than the expected 403 Forbidden, confirming the successful bypass of the security control.

The security implications of CVE-2026-33808 are severe for applications relying on @fastify/express for access control enforcement. Middleware functions are commonly utilized to implement authentication mechanisms, authorization checks, rate limiting, and input validation. The ability to systematically bypass these controls nullifies the primary security boundary of the application for specific routes.

Successful exploitation grants an attacker unauthenticated access to the underlying Fastify handlers. Depending on the functionality exposed by these handlers, the impact can range from unauthorized data disclosure to complete application compromise. If the bypassed middleware protects administrative interfaces or data modification endpoints, attackers can execute privileged actions, manipulate database records, or potentially achieve remote code execution depending on subsequent vulnerabilities within the handler logic.

The vulnerability is assigned a CVSS v4.0 score of 9.1 (Critical), reflecting the low attack complexity and the severe impact on confidentiality and integrity. The attack requires no authentication, involves no user interaction, and can be executed over the network with standard HTTP clients. Despite the critical severity, the Exploit Prediction Scoring System (EPSS) indicates a relatively low exploitation probability of 0.11%. This low probability is primarily attributed to the specific, non-default framework configurations (ignoreDuplicateSlashes or useSemicolonDelimiter) required for the vulnerability to manifest, limiting the attack surface across the broader Fastify ecosystem.

The definitive remediation for CVE-2026-33808 is upgrading the @fastify/express dependency to version 4.0.5 or later. The patch introduced in this release systematically synchronizes the path parsing logic between the Express middleware compatibility layer and the Fastify core engine. Development teams must ensure that their package management lockfiles are updated to reflect this patched version to prevent regression.

In environments where immediate upgrading is structurally impossible, a functional workaround involves manually normalizing the request URL prior to the execution of the Express middleware pipeline. This can be achieved by implementing a Fastify onRequest hook that intercepts incoming requests, strips duplicate slashes, and removes semicolon delimiters from the req.raw.url property. This approach forces the Express engine to evaluate the same sanitized string that the Fastify router utilizes.

At the network perimeter, Web Application Firewalls (WAF) can be configured to detect and block malicious URL manipulations. Security engineers should implement rule sets that match repeated slash characters (//) or semicolon delimiters (;) within the URI path, specifically targeting prefixes known to require authentication. Furthermore, monitoring and log analysis systems should flag 200 OK or 404 Not Found responses to requests containing these patterns, as they indicate active probing or successful exploitation of the normalization drift.