Compliance Impact

This vulnerability causes a complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes.

Because middleware responsible for enforcing security policies can be bypassed silently without errors or warnings, this can lead to unauthorized access to sensitive data or systems.

Such unauthorized access and lack of proper security controls can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33807 is a critical vulnerability in the npm package @fastify/express version 4.0.4 and earlier. It is caused by a path handling bug in the onRegister function that leads to middleware paths being doubled when inherited by child plugins with a matching prefix.

Specifically, when a child plugin is registered with a prefix that matches a middleware path registered on the parent, the middleware path is prefixed a second time (e.g., '/admin' becomes '/admin/admin'). Because the child plugin uses its own Express instance, the middleware registered under the doubled path does not match incoming requests to the intended path, causing the middleware to be silently skipped.

This results in a complete bypass of all Express middleware security controls, including authentication, authorization, rate limiting, CSRF protection, and audit logging, for all routes defined within the affected child plugin scopes. No special configuration or request crafting is required to exploit this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to completely bypass Express middleware security controls on routes defined within child plugins that share a prefix with parent middleware.

• Authentication and authorization middleware can be bypassed, allowing unauthorized access.
• Rate limiting protections can be circumvented, potentially enabling denial of service or abuse.
• Other security-related middleware such as CSRF protection and audit logging can be skipped, reducing overall security visibility and protection.

The bypass is silent with no errors or warnings, making detection difficult. This can lead to unauthorized data access or manipulation within affected child plugin routes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes middleware paths to be doubled in child plugins when they share a prefix with parent middleware, resulting in middleware bypass without errors or warnings. Detection is difficult because the bypass is silent and does not require special request crafting.

To detect this issue, you can test routes in child plugins that share a prefix with parent middleware by sending requests that should be blocked by middleware (e.g., authentication). If these requests succeed without the expected middleware enforcement, the vulnerability may be present.

There are no specific commands provided in the resources, but a practical approach is to use HTTP request tools like curl or Postman to send requests to protected routes in child plugins and verify if middleware controls (authentication, authorization, rate limiting) are enforced.

• Example test command: curl -i -H "Authorization: invalid" https://yourapp/admin/secret
• If the response returns 200 OK without proper authorization, it indicates middleware bypass.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the @fastify/express package to version 4.0.5 or later, where this path handling bug is fixed.

Until the upgrade can be applied, consider reviewing your Fastify plugin usage to avoid registering child plugins with prefixes that match parent middleware paths, as this triggers the vulnerability.

Additionally, audit your middleware registration patterns to ensure middleware is not unintentionally bypassed, and monitor access logs for unexpected successful requests to protected routes.

Useful 0 Not Useful 0