Path Bypass in Fastify Express Plugin

Executive Summary

The vulnerability in @fastify/express versions 4.0.6 and earlier involves how middleware mount paths are handled inside prefixed plugins. Specifically, when the mount path is not a string (for example, an array of paths or a regular expression), the plugin prefix is not correctly applied. This means that middleware registered with these non-string paths does not match the actual prefixed request path, causing the middleware to be skipped.

As a result, middleware that is supposed to handle authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending requests to the prefixed routes, because Fastify matches the route but the middleware does not run.

The issue is fixed in version 4.0.7 by properly rewriting the plugin prefix for all mount path types. Workarounds include using only string mount paths or registering separate middleware calls for each path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a critical impact on your application security. Because middleware responsible for authentication, authorization, rate limiting, or auditing can be bypassed, unauthorized users may gain access to protected routes or resources.

This can lead to unauthorized data access, privilege escalation, and potential compromise of sensitive information or application integrity.

The CVSS score of 9.1 reflects the high severity of this issue, indicating a high impact on confidentiality and integrity without requiring user interaction or privileges.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your application uses @fastify/express version 4.0.6 or earlier and if it employs non-string mount paths (arrays or regular expressions) in prefixed plugins for middleware.

You can check the installed package version by running the following command in your project directory:

• npm list @fastify/express

To detect if non-string mount paths are used in your codebase, you can search for middleware registration patterns using arrays or regular expressions. For example, using grep:

• grep -r "use([\[\]/" ./

Additionally, monitoring network traffic for requests that bypass authentication or authorization middleware on prefixed routes may indicate exploitation attempts, but specific commands for this are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the @fastify/express package to version 4.0.7 or later, where this vulnerability is patched.

If upgrading immediately is not possible, apply the following workarounds:

• Use string mount paths instead of arrays or regular expressions in prefixed plugins.
• Register one use() call per path rather than using arrays or RegExp.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows middleware responsible for authentication, authorization, rate limiting, or auditing to be bypassed when non-string mount paths are used in prefixed Fastify plugins. As a result, protected routes may be accessed without proper authorization, potentially exposing sensitive data or functionality.

Such unauthorized access can lead to violations of compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data, as well as proper auditing and authorization mechanisms.

Therefore, applications affected by this vulnerability may fail to meet these regulatory requirements until patched or mitigated.

Useful 0 Not Useful 0