Skip to main content

Fastify Express

3 CVEs product

Monthly

CVE-2026-6556 CRITICAL PATCH Act Now

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. There is no public exploit identified at time of analysis, and the issue is fixed in 4.0.7.

Authentication Bypass Fastify Express
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-33807 npm CRITICAL PATCH GHSA Act Now

Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authorization, and rate limiting controls due to path doubling logic error. When child plugins register with prefixes matching middleware paths, the onRegister function incorrectly doubles the middleware path, preventing any matches against incoming requests. Affects fastify/express versions ≤4.0.4 across all routes within child plugin scopes. Remote attackers require no authentication (CVSS PR:N), no user interaction, and low attack complexity to bypass critical security controls. No public exploit identified at time of analysis, though exploitation requires no special configuration or request crafting.

Authentication Bypass Fastify Express
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33808 npm CRITICAL PATCH GHSA Act Now

Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected routes via URL path manipulation. The vulnerability exploits a URL normalization mismatch: Fastify router normalizes URLs (removing duplicate slashes or handling semicolon delimiters based on configuration), but @fastify/express passes the original un-normalized URL to Express middleware, causing path-scoped authentication checks to fail and be skipped entirely. No public expl

Authentication Bypass Fastify Express
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.1%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. There is no public exploit identified at time of analysis, and the issue is fixed in 4.0.7.

Authentication Bypass Fastify Express
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Middleware bypass in Fastify Express plugin (fastify/express) allows complete circumvention of authentication, authorization, and rate limiting controls due to path doubling logic error. When child plugins register with prefixes matching middleware paths, the onRegister function incorrectly doubles the middleware path, preventing any matches against incoming requests. Affects fastify/express versions ≤4.0.4 across all routes within child plugin scopes. Remote attackers require no authentication (CVSS PR:N), no user interaction, and low attack complexity to bypass critical security controls. No public exploit identified at time of analysis, though exploitation requires no special configuration or request crafting.

Authentication Bypass Fastify Express
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in @fastify/express v4.0.4 and earlier allows remote unauthenticated attackers to access protected routes via URL path manipulation. The vulnerability exploits a URL normalization mismatch: Fastify router normalizes URLs (removing duplicate slashes or handling semicolon delimiters based on configuration), but @fastify/express passes the original un-normalized URL to Express middleware, causing path-scoped authentication checks to fail and be skipped entirely. No public expl

Authentication Bypass Fastify Express
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy