Description

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.

INFO

Published Date :

2026-04-15T09:52:26.838Z

Last Modified :

2026-04-15T13:09:45.259Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33807 vulnerability.

Vendors Products
Fastify
  • Fastify-express
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33807.

URL Resource
https://cna.openjsf.org/security-advisories.html cve-icon cve-icon
https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact