CVE-2026-33807
published 2026-04-15CVE-2026-33807: @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child…
PriorityP359critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.43%
34.4th percentile
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.
Upgrade to @fastify/express v4.0.5 or later.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fastify | express | >= 0 < 4.0.5 | 4.0.5 |
| fastify | fastify_express | < 4.0.5 | 4.0.5 |
| fastify | middie | >= 0 < 9.3.2 | 9.3.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
ghsa·2026-04-16
CVE-2026-33807 [CRITICAL] CWE-436 @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
### Summary
`@fastify/express` v4.0.4 contains a path handling bug in the `onRegister` function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.
### Details
The vulnerability exists in the `onRegister` function at `index.js` lines 92-101. When a child plugin is registered with a prefix, the `onRegister` hook copies middleware from the parent scope and re-registers it using `instance.use(...middleware)`. Howeve
GHSA
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
ghsa·2026-04-16·CVSS 9.1
CVE-2026-6270 [CRITICAL] CWE-436 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
### Impact
`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.
This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as [GHSA-h
VulDB
fastify express up to 4.0.4 onRegister interpretation conflict
vuldb·2026-04-15·CVSS 9.1
CVE-2026-33807 [CRITICAL] fastify express up to 4.0.4 onRegister interpretation conflict
A vulnerability identified as critical has been detected in fastify express up to 4.0.4. This affects the function onRegister. The manipulation leads to interpretation conflict.
This vulnerability is referenced as CVE-2026-33807. Remote exploitation of the attack is possible. No exploit is available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published