CVE-2026-33807
9.1 CRITICAL@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled wh...
Published: 2026-04-15 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-436
Affected products
| Vendor | Product |
|---|---|
| fastify | fastify\/express |
Description
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33807
- [Vendor advisory]https://cna.openjsf.org/security-advisories.html
- [Vendor advisory]https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
- [Vendor advisory]https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
Related CVEs
Same vendor
- CVE-2026-7768 — @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy (7.5 HIGH)
- CVE-2026-33805 — @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the prox... (8.6 HIGH)
- CVE-2026-33808 — Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normaliza... (9.1 CRITICAL)
Same CWE
- CVE-2026-42462 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (7.0 HIGH)
- CVE-2026-47344 — When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accep...
- CVE-2026-40930 — LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files (5.4 MEDIUM)
- CVE-2026-47076 — Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery (6.5 MEDIUM)
- CVE-2026-40165 — authentik is an open-source identity provider (8.7 HIGH)