@fastify/express URL-Encoding Bypass Vulnerability Allowing Middleware Bypass

A vulnerability in the @fastify/express plugin, affecting versions prior to 4.0.3, allows for the bypassing of middleware registered with specific path prefixes. This is achieved by using URL-encoded characters, which the middleware engine fails to decode and match, while the underlying Fastify router correctly interprets the path. As a result, attackers can access protected endpoints without the usual middleware restrictions. The issue arises from the plugin's request path matching process.

Impact

Exploitation of this vulnerability allows attackers to bypass middleware restrictions, potentially gaining unauthorized access to protected endpoints. This could lead to unauthorized actions or information disclosure, depending on the nature of the accessed resources.

Reproduction

To reproduce this vulnerability, first set up a Fastify application and register the @fastify/express plugin. Then, add middleware to block access to the /admin route. After setting up the server, send a request to the /admin path using a URL-encoded version of the path (e.g., '/%61dmin'). The middleware should not execute, and the request will be handled by the route handler, granting access to the admin panel.

Remediation

Users can upgrade to version 4.0.3 of @fastify/express, which includes a patch for this vulnerability by decoding paths before matching, ensuring that encoded path bypasses are no longer effective.