CVE-2026-33807

@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

Assigner: openjs
Reserved: 23.03.2026 Published: 15.04.2026 Updated: 15.04.2026

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.

Upgrade to @fastify/express v4.0.5 or later.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	fastify
Product	@fastify/express
Versions	Default: unaffected affected from 0 to 4.0.5 (excl.) Version 4.0.5 is unaffected

Vendor

fastify

Product

@fastify/express

Versions

Default: unaffected

affected from 0 to 4.0.5 (excl.)
Version 4.0.5 is unaffected

Credits

FredKSchott reporter
mcollina remediation developer
UlisesGascon remediation reviewer
climba03003 remediation reviewer

References

Problem Types