Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 npm packages depend on @fastify/express (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.0.5.
DescriptionCVE.org
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.
Upgrade to @fastify/express v4.0.5 or later.
AnalysisAI
Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authorization, and rate limiting controls due to path doubling logic error. When child plugins register with prefixes matching middleware paths, the onRegister function incorrectly doubles the middleware path, preventing any matches against incoming requests. Affects fastify/express versions ≤4.0.4 across all routes within child plugin scopes. Remote attackers require no authentication (CVSS PR:N), no user interaction, and low attack complexity to bypass critical security controls. No public exploit identified at time of analysis, though exploitation requires no special configuration or request crafting.
Technical ContextAI
Fastify Express (fastify/express) is a plugin that provides Express.js middleware compatibility within the Fastify web framework ecosystem. The vulnerability stems from CWE-436 (Interpretation Conflict) in the onRegister lifecycle hook, which manages middleware path registration during plugin composition. When Fastify's hierarchical plugin architecture registers child plugins with a prefix (e.g., '/api') that matches an existing middleware path, the flawed path normalization logic erroneously concatenates the prefix twice-transforming '/api' middleware paths into '/api/api'. This double-prefixing creates a permanent mismatch: incoming requests to '/api/*' routes never match the malformed '/api/api/*' middleware paths, causing the middleware chain to silently skip execution. The affected CPE (cpe:2.3:a:fastify:@fastify/express) identifies all versions through 4.0.4 of the npm package. Unlike typical path traversal or injection vulnerabilities, this is a pure logic error requiring no attacker input manipulation-the bug activates automatically based on legitimate plugin configuration patterns.
RemediationAI
Upgrade immediately to @fastify/express version 4.0.5 or later, which resolves the path doubling logic error in the onRegister function. Use npm (npm update @fastify/express) or yarn (yarn upgrade @fastify/express) to apply the patch. Verify the installed version post-upgrade using npm list @fastify/express. No configuration changes are required-version 4.0.5 automatically corrects the path handling behavior for all plugin hierarchies. If immediate patching is not feasible, implement temporary compensating controls: flatten plugin architecture to eliminate child plugins with prefixes matching middleware paths, or manually duplicate critical authentication/authorization checks within child plugin route handlers. However, these workarounds are error-prone and should only be used as short-term mitigations. The vendor-released patch (version 4.0.5) is the only complete remediation. Reference the GitHub security advisory at https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c for additional context and the OpenJS Foundation advisory at https://cna.openjsf.org/security-advisories.html for coordinated disclosure details.
More in Fastify Express
View allAuthorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthent
Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22880
GHSA-hrwm-hgmj-7p9c