Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network and unauthenticated (AV:N/PR:N), but AC:H because exploitation depends on the app using array/RegExp mount paths for security middleware in a prefixed scope; high C/I from bypassed authz, no availability impact.
Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).
CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.
AnalysisAI
Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses @fastify/express (≤4.0.6) and registers path-scoped middleware - specifically middleware performing authentication, authorization, rate limiting, or auditing - inside a Fastify plugin that is mounted under a path prefix, AND that this middleware is declared with a non-string mount path (an array of paths or a regular expression) rather than a string. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, base 9.1) describes a network-reachable, unauthenticated, low-complexity bypass with high confidentiality and integrity impact and no availability impact, which is consistent with an auth/authz control being skipped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer protects /api/admin routes by registering an authentication middleware in a prefixed plugin using a RegExp or array mount path; because the prefix is never applied, the middleware never matches and is skipped. An unauthenticated attacker simply sends a normal HTTP request to the real prefixed route (e.g. … |
| Remediation | Vendor-released patch: 4.0.7 - upgrade @fastify/express to 4.0.7 or later, which restores prefix rewriting for non-string mount paths, per GHSA-3wf5-7852-vcfq (https://github.com/fastify/fastify-express/security/advisories/GHSA-3wf5-7852-vcfq). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running @fastify/express 4.0.6 or earlier and assess exposure; systems using array or regex-based route prefixes require priority assessment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fastify Express
View allAuthentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected
Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authoriza
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40309