CVE-2026-33807
Path Handling Bug in @fastify/express Causes Middleware Bypass
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | express | to 4.0.5 (exc) |
| fastify | express | From 4.0.5 (inc) |
| fastify | express | 4.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33807 is a critical vulnerability in the npm package @fastify/express version 4.0.4 and earlier. It is caused by a path handling bug in the onRegister function that leads to middleware paths being doubled when inherited by child plugins with a matching prefix.
Specifically, when a child plugin is registered with a prefix that matches a middleware path registered on the parent, the middleware path is prefixed a second time (e.g., '/admin' becomes '/admin/admin'). Because the child plugin uses its own Express instance, the middleware registered under the doubled path does not match incoming requests to the intended path, causing the middleware to be silently skipped.
This results in a complete bypass of all Express middleware security controls, including authentication, authorization, rate limiting, CSRF protection, and audit logging, for all routes defined within the affected child plugin scopes. No special configuration or request crafting is required to exploit this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes.
Because middleware responsible for enforcing security policies can be bypassed silently without errors or warnings, this can lead to unauthorized access to sensitive data or systems.
Such unauthorized access and lack of proper security controls can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.
How can this vulnerability impact me? :
This vulnerability allows attackers to completely bypass Express middleware security controls on routes defined within child plugins that share a prefix with parent middleware.
- Authentication and authorization middleware can be bypassed, allowing unauthorized access.
- Rate limiting protections can be circumvented, potentially enabling denial of service or abuse.
- Other security-related middleware such as CSRF protection and audit logging can be skipped, reducing overall security visibility and protection.
The bypass is silent with no errors or warnings, making detection difficult. This can lead to unauthorized data access or manipulation within affected child plugin routes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes middleware paths to be doubled in child plugins when they share a prefix with parent middleware, resulting in middleware bypass without errors or warnings. Detection is difficult because the bypass is silent and does not require special request crafting.
To detect this issue, you can test routes in child plugins that share a prefix with parent middleware by sending requests that should be blocked by middleware (e.g., authentication). If these requests succeed without the expected middleware enforcement, the vulnerability may be present.
There are no specific commands provided in the resources, but a practical approach is to use HTTP request tools like curl or Postman to send requests to protected routes in child plugins and verify if middleware controls (authentication, authorization, rate limiting) are enforced.
- Example test command: curl -i -H "Authorization: invalid" https://yourapp/admin/secret
- If the response returns 200 OK without proper authorization, it indicates middleware bypass.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the @fastify/express package to version 4.0.5 or later, where this path handling bug is fixed.
Until the upgrade can be applied, consider reviewing your Fastify plugin usage to avoid registering child plugins with prefixes that match parent middleware paths, as this triggers the vulnerability.
Additionally, audit your middleware registration patterns to ensure middleware is not unintentionally bypassed, and monitor access logs for unexpected successful requests to protected routes.