{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/url-normalization/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-22037"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fastify/express"],"_cs_severities":["critical"],"_cs_tags":["fastify","express","authentication-bypass","url-normalization","cve-2026-33808"],"_cs_type":"advisory","_cs_vendors":["Fastify"],"content_html":"\u003cp\u003eA critical vulnerability exists in \u003ccode\u003e@fastify/express\u003c/code\u003e version 4.0.4 related to URL normalization. When Fastify router normalization options (\u003ccode\u003eignoreDuplicateSlashes\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter\u003c/code\u003e) are enabled, the \u003ccode\u003e@fastify/express\u003c/code\u003e module fails to properly normalize URLs before passing them to Express middleware. This discrepancy allows attackers to bypass authentication and authorization checks implemented in Express middleware. The vulnerability stems from the \u003ccode\u003eenhanceRequest\u003c/code\u003e function in \u003ccode\u003eindex.js\u003c/code\u003e, which doesn't normalize duplicate slashes or strip semicolon-delimited parameters, leading to a mismatch between Fastify's route matching and Express's middleware handling. This issue is distinct from CVE-2026-22037, which addressed percent-encoding bypass. Successful exploitation grants unauthenticated access to protected resources, impacting applications that rely on Express middleware for security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected route, such as \u003ccode\u003e/admin/dashboard\u003c/code\u003e, that is secured by Express middleware within a Fastify application using \u003ccode\u003e@fastify/express\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing either duplicate slashes (e.g., \u003ccode\u003e//admin/dashboard\u003c/code\u003e) or semicolon delimiters (e.g., \u003ccode\u003e/admin;bypass\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the target server using the crafted malicious URL.\u003c/li\u003e\n\u003cli\u003eFastify's router, configured with \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e, normalizes the URL for route matching.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@fastify/express\u003c/code\u003e's \u003ccode\u003eenhanceRequest\u003c/code\u003e function passes the original, un-normalized URL to the Express middleware.\u003c/li\u003e\n\u003cli\u003eThe Express middleware, expecting the normalized URL (e.g., \u003ccode\u003e/admin/dashboard\u003c/code\u003e), fails to match the malicious URL (e.g., \u003ccode\u003e//admin/dashboard\u003c/code\u003e or \u003ccode\u003e/admin;bypass\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authentication/authorization checks in the Express middleware are bypassed.\u003c/li\u003e\n\u003cli\u003eThe Fastify route handler executes, granting the attacker unauthorized access to the protected resource, potentially leading to data breaches or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for complete authentication bypass in applications that utilize Express middleware for path-based access control and are built on \u003ccode\u003e@fastify/express\u003c/code\u003e. Successful exploitation leads to unauthorized access to protected resources like admin panels, APIs, and sensitive user data. The duplicate slash vector impacts applications with \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e, while the semicolon vector affects those with \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e. This bypass affects all Express middleware using prefix path matching, including popular authentication, authorization, and rate-limiting packages. The root cause lies in the unexpected behavior of \u003ccode\u003e@fastify/express\u003c/code\u003e and its interaction with Fastify's router options, potentially affecting a large number of applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fastify Express Double Slash Authentication Bypass\u003c/code\u003e to detect attempts to exploit the duplicate slash vulnerability via web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fastify Express Semicolon Authentication Bypass\u003c/code\u003e to detect attempts to exploit the semicolon delimiter vulnerability via web server logs.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@fastify/express\u003c/code\u003e when available. This should include URL normalization before passing to Express middleware as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eReview Fastify configurations to understand if \u003ccode\u003eignoreDuplicateSlashes: true\u003c/code\u003e or \u003ccode\u003euseSemicolonDelimiter: true\u003c/code\u003e are actively used and assess the impact of disabling them until a patch is applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/","summary":"A vulnerability exists in `@fastify/express` v4.0.4 that allows complete bypass of path-scoped authentication middleware via URL normalization gaps, specifically through duplicate slashes and semicolon delimiters, leading to unauthorized access to protected routes.","title":"@fastify/express Authentication Bypass via URL Normalization Gaps","url":"https://feed.craftedsignal.io/briefs/2024-02-fastify-express-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Url-Normalization","version":"https://jsonfeed.org/version/1.1"}