Skip to main content

Fastify Express EUVDEUVD-2026-22880

| CVE-2026-33807 CRITICAL
Interpretation Conflict (CWE-436)
2026-04-15 openjs GHSA-hrwm-hgmj-7p9c
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Apr 16, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 10:09 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 10:00 euvd
EUVD-2026-22880
Analysis Generated
Apr 15, 2026 - 10:00 vuln.today
CVE Published
Apr 15, 2026 - 09:52 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @fastify/express (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.0.5.

DescriptionCVE.org

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.

Upgrade to @fastify/express v4.0.5 or later.

AnalysisAI

Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authorization, and rate limiting controls due to path doubling logic error. When child plugins register with prefixes matching middleware paths, the onRegister function incorrectly doubles the middleware path, preventing any matches against incoming requests. Affects fastify/express versions ≤4.0.4 across all routes within child plugin scopes. Remote attackers require no authentication (CVSS PR:N), no user interaction, and low attack complexity to bypass critical security controls. No public exploit identified at time of analysis, though exploitation requires no special configuration or request crafting.

Technical ContextAI

Fastify Express (fastify/express) is a plugin that provides Express.js middleware compatibility within the Fastify web framework ecosystem. The vulnerability stems from CWE-436 (Interpretation Conflict) in the onRegister lifecycle hook, which manages middleware path registration during plugin composition. When Fastify's hierarchical plugin architecture registers child plugins with a prefix (e.g., '/api') that matches an existing middleware path, the flawed path normalization logic erroneously concatenates the prefix twice-transforming '/api' middleware paths into '/api/api'. This double-prefixing creates a permanent mismatch: incoming requests to '/api/*' routes never match the malformed '/api/api/*' middleware paths, causing the middleware chain to silently skip execution. The affected CPE (cpe:2.3:a:fastify:@fastify/express) identifies all versions through 4.0.4 of the npm package. Unlike typical path traversal or injection vulnerabilities, this is a pure logic error requiring no attacker input manipulation-the bug activates automatically based on legitimate plugin configuration patterns.

RemediationAI

Upgrade immediately to @fastify/express version 4.0.5 or later, which resolves the path doubling logic error in the onRegister function. Use npm (npm update @fastify/express) or yarn (yarn upgrade @fastify/express) to apply the patch. Verify the installed version post-upgrade using npm list @fastify/express. No configuration changes are required-version 4.0.5 automatically corrects the path handling behavior for all plugin hierarchies. If immediate patching is not feasible, implement temporary compensating controls: flatten plugin architecture to eliminate child plugins with prefixes matching middleware paths, or manually duplicate critical authentication/authorization checks within child plugin route handlers. However, these workarounds are error-prone and should only be used as short-term mitigations. The vendor-released patch (version 4.0.5) is the only complete remediation. Reference the GitHub security advisory at https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c for additional context and the OpenJS Foundation advisory at https://cna.openjsf.org/security-advisories.html for coordinated disclosure details.

Share

EUVD-2026-22880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy