<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Fastify/Express - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@fastify/express/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 29 Feb 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@fastify/express/feed.xml" rel="self" type="application/rss+xml"/><item><title>@fastify/express Authentication Bypass via URL Normalization Gaps</title><link>https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/</link><pubDate>Thu, 29 Feb 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/</guid><description>A vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in <code>@fastify/express</code> version 4.0.4 related to URL normalization. When Fastify router normalization options (<code>ignoreDuplicateSlashes</code> or <code>useSemicolonDelimiter</code>) are enabled, the <code>@fastify/express</code> module fails to properly normalize URLs before passing them to Express middleware. This discrepancy allows attackers to bypass authentication and authorization checks implemented in Express middleware. The vulnerability stems from the <code>enhanceRequest</code> function in <code>index.js</code>, which doesn't normalize duplicate slashes or strip semicolon-delimited parameters, leading to a mismatch between Fastify's route matching and Express's middleware handling. This issue is distinct from CVE-2026-22037, which addressed percent-encoding bypass. Successful exploitation grants unauthenticated access to protected resources, impacting applications that rely on Express middleware for security.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a protected route, such as <code>/admin/dashboard</code>, that is secured by Express middleware within a Fastify application using <code>@fastify/express</code>.</li>
<li>The attacker crafts a malicious URL containing either duplicate slashes (e.g., <code>//admin/dashboard</code>) or semicolon delimiters (e.g., <code>/admin;bypass</code>).</li>
<li>The attacker sends an HTTP request to the target server using the crafted malicious URL.</li>
<li>Fastify's router, configured with <code>ignoreDuplicateSlashes: true</code> or <code>useSemicolonDelimiter: true</code>, normalizes the URL for route matching.</li>
<li><code>@fastify/express</code>'s <code>enhanceRequest</code> function passes the original, un-normalized URL to the Express middleware.</li>
<li>The Express middleware, expecting the normalized URL (e.g., <code>/admin/dashboard</code>), fails to match the malicious URL (e.g., <code>//admin/dashboard</code> or <code>/admin;bypass</code>).</li>
<li>The authentication/authorization checks in the Express middleware are bypassed.</li>
<li>The Fastify route handler executes, granting the attacker unauthorized access to the protected resource, potentially leading to data breaches or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows for complete authentication bypass in applications that utilize Express middleware for path-based access control and are built on <code>@fastify/express</code>. Successful exploitation leads to unauthorized access to protected resources like admin panels, APIs, and sensitive user data. The duplicate slash vector impacts applications with <code>ignoreDuplicateSlashes: true</code>, while the semicolon vector affects those with <code>useSemicolonDelimiter: true</code>. This bypass affects all Express middleware using prefix path matching, including popular authentication, authorization, and rate-limiting packages. The root cause lies in the unexpected behavior of <code>@fastify/express</code> and its interaction with Fastify's router options, potentially affecting a large number of applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Fastify Express Double Slash Authentication Bypass</code> to detect attempts to exploit the duplicate slash vulnerability via web server logs.</li>
<li>Deploy the Sigma rule <code>Detect Fastify Express Semicolon Authentication Bypass</code> to detect attempts to exploit the semicolon delimiter vulnerability via web server logs.</li>
<li>Upgrade to a patched version of <code>@fastify/express</code> when available. This should include URL normalization before passing to Express middleware as suggested in the advisory.</li>
<li>Review Fastify configurations to understand if <code>ignoreDuplicateSlashes: true</code> or <code>useSemicolonDelimiter: true</code> are actively used and assess the impact of disabling them until a patch is applied.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>fastify</category><category>express</category><category>authentication-bypass</category><category>url-normalization</category><category>cve-2026-33808</category></item><item><title>Fastify/Express Middleware Path Doubling Authentication Bypass</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-fastify-express-auth-bypass/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-fastify-express-auth-bypass/</guid><description>A path handling bug in `@fastify/express` v4.0.4 `onRegister` function causes middleware paths to be doubled when inherited by child plugins, resulting in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware.</description><content:encoded><![CDATA[<p>A path handling bug in the <code>@fastify/express</code> package allows attackers to bypass authentication in Fastify applications using Express middleware. The vulnerability exists in version 4.0.4 of <code>@fastify/express</code>. The <code>onRegister</code> function incorrectly handles middleware paths when child plugins are registered with a prefix, causing the middleware paths to be doubled. This leads to a situation where security controls, such as authentication checks, are silently skipped for routes defined within those child plugin scopes. This vulnerability impacts applications using path-scoped middleware and child plugins with matching prefixes, and it affects default Fastify configurations. The issue was reported on April 16, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The application registers Express middleware with a path scope (e.g., <code>/admin</code>) using <code>app.use('/admin', authFn)</code>. The path is stored as <code>/admin</code>.</li>
<li>A child plugin is registered with a prefix that overlaps the middleware path (e.g., <code>{ prefix: '/admin' }</code>). This triggers the <code>onRegister</code> hook.</li>
<li>The <code>onRegister</code> function copies the parent middleware and attempts to re-register it using <code>instance.use('/admin', authFn)</code> on the child plugin instance.</li>
<li>The child's <code>use()</code> function prepends the plugin prefix to the middleware path, resulting in a doubled path (e.g., <code>/admin/admin</code>).</li>
<li>Routes are defined within the child plugin scope using the child's Express instance.</li>
<li>When a request is made to a route within the child scope (e.g., <code>/admin/secret</code>), the middleware registered with the doubled path (<code>/admin/admin</code>) is not triggered.</li>
<li>Authentication and authorization checks are bypassed because the middleware is not executed for requests to the intended routes.</li>
<li>The attacker gains unauthorized access to resources and data within the child plugin scope.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows for a complete bypass of Express middleware security controls for routes defined within child plugin scopes. This includes authentication, authorization, rate limiting, and other security measures.  The silent nature of the bypass, with no errors or warnings, makes it particularly dangerous.  Successful exploitation could lead to unauthorized access to sensitive data, privilege escalation, and other security breaches. Any child plugin scope that shares a prefix with middleware is affected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to a patched version of <code>@fastify/express</code> when available.</li>
<li>As a temporary workaround, avoid using child plugins with prefixes that overlap with middleware path scopes until a patch is released.</li>
<li>Review existing <code>@fastify/express</code> configurations for overlapping middleware paths and child plugin prefixes, and refactor the application to avoid this pattern.</li>
<li>Deploy the Sigma rule <code>Detect Fastify Express Middleware Bypass</code> to identify potential exploitation attempts by monitoring for requests to routes that should be protected by middleware but are not.</li>
<li>Consider implementing additional security measures, such as request validation and input sanitization, to mitigate the risk of unauthorized access.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>fastify</category><category>express</category><category>authentication-bypass</category><category>middleware</category><category>path-traversal</category></item></channel></rss>