Product
critical
advisory
@fastify/express Authentication Bypass via URL Normalization Gaps
2 rules 1 TTP 1 CVEA vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.
@fastify/express
fastify
express
authentication-bypass
url-normalization
cve-2026-33808
2r
1t
1c
critical
advisory
Fastify/Express Middleware Path Doubling Authentication Bypass
2 rules 1 TTPA path handling bug in `@fastify/express` v4.0.4 `onRegister` function causes middleware paths to be doubled when inherited by child plugins, resulting in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware.
@fastify/express
fastify
express
authentication-bypass
middleware
path-traversal
2r
1t