EUVD-2026-22880
GHSA-hrwm-hgmj-7p9c
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.
Upgrade to @fastify/express v4.0.5 or later.
AnalysisAI
Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authorization, and rate limiting controls due to path doubling logic error. When child plugins register with prefixes matching middleware paths, the onRegister function incorrectly doubles the middleware path, preventing any matches against incoming requests. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all applications using fastify/express plugin and identify versions ≤4.0.4; isolate or restrict network access to affected services pending remediation. Within 7 days: Contact vendor for patch availability timeline and interim guidance; implement compensating controls (see below) on all affected instances. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today