Platform
nodejs
Component
@fastify/express
Fixed in
4.0.5
4.0.5
CVE-2026-33807 is an Authentication Bypass vulnerability found in @fastify/express versions up to 4.0.4. The vulnerability stems from a path handling bug within the onRegister function, leading to middleware paths being doubled when inherited by child plugins. This effectively bypasses Express middleware security controls for routes defined within child plugins, potentially exposing sensitive data and functionality. The vulnerability is fixed in version 4.0.5.
CVE-2026-33807 in @fastify/express v4.0.4 involves a path handling bug within the onRegister function. This function, responsible for plugin registration, incorrectly duplicates middleware paths when inherited by child plugins. Consequently, Express security controls for middleware are completely bypassed for all routes defined within the scope of child plugins that share a prefix with parent-scoped middleware. No special configuration is required – this affects the default Fastify configuration. The CVSS score is 9.1, indicating a critical severity. This path duplication allows for the circumvention of security restrictions, potentially opening the door to malicious attacks.
An attacker could exploit this vulnerability by creating a child plugin with routes that share a prefix with middleware registered in the parent plugin. Due to the path duplication, the security protections applied to the parent plugin’s middleware will not be applied to the child plugin’s routes, allowing the attacker to bypass these protections and potentially access unauthorized resources or functionalities. The ease of exploitation and potential impact justify the high CVSS severity rating.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to upgrade to version 4.0.5 or higher of @fastify/express. This version corrects the path handling error within the onRegister function, preventing middleware path duplication and restoring proper application of Express security controls. Prompt application of this update is strongly recommended to mitigate the risk of exploitation. Additionally, review the configuration of child plugins to ensure no vulnerable routes are in use, although upgrading to the patched version remains the primary remediation.
Actualice a la versión 4.0.5 o superior de @fastify/express para corregir la vulnerabilidad. Esta actualización soluciona un error en el manejo de rutas que permitía eludir los controles de seguridad de Express, como la autenticación y la autorización, en plugins secundarios.
Vulnerability analysis and critical alerts directly to your inbox.
It means the same middleware path is registered twice, causing security protections applied to the first instance to not apply to the second.
Check the version of @fastify/express you are using. If it's v4.0.4 or earlier, your application is vulnerable.
While not recommended, carefully review the configuration of your child plugins to identify potentially vulnerable routes and apply additional security measures.
Currently, there are no specific tools for detecting this vulnerability, but security audits and penetration testing are recommended.
CVSS (Common Vulnerability Scoring System) is a standard for evaluating vulnerability severity. A score of 9.1 indicates a critical vulnerability requiring immediate attention.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.