CVE-2026-33807: Middleware Bypass via Path Interpretation Conflict in @fastify/express
Vulnerability ID: CVE-2026-33807
CVSS Score: 9.1
Published: 2026-04-16
A critical vulnerability exists in @fastify/express versions 4.0.4 and earlier where an interpretation conflict causes middleware paths to be incorrectly calculated during plugin inheritance. This flaw allows unauthenticated remote attackers to bypass security middleware, such as authentication and authorization controls, on specific routes defined within child plugin scopes.
TL;DR
@fastify/express <= 4.0.4 incorrectly doubles path prefixes during child plugin registration, bypassing security middleware on encapsulated child routes.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-436
- Attack Vector: Network
- CVSS Base Score: 9.1 (Critical)
- EPSS Score: 0.00052
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- Node.js applications utilizing Fastify with the @fastify/express compatibility plugin
-
@fastify/express: <= 4.0.4 (Fixed in:
4.0.5)
Code Analysis
Commit: c4e49b5
Fix path doubling via instance.express.use
Commit: 674020f
Introduce normalizeUrl for request path consistency
Exploit Details
- Security Advisory: Proof of concept code demonstrating the middleware bypass in child scopes.
Mitigation Strategies
- Upgrade @fastify/express to version 4.0.5 or later
- Migrate security-critical Express middleware to Fastify-native lifecycle hooks
- Avoid nested prefix overlaps when utilizing legacy Express middleware
Remediation Steps:
- Audit project dependencies for @fastify/express versions <= 4.0.4.
- Update package.json to require @fastify/express ^4.0.5.
- Run npm install or yarn install to update lockfiles.
- Execute integration tests against protected routes to verify middleware enforcement.
References
Read the full report for CVE-2026-33807 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)