Fastify Express vulnerabilities
2 known vulnerabilities affecting fastify/fastify_express.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2
Vulnerabilities
Page 1 of 1
CVE-2026-33808P2CRITICALCVSS 9.1fixed in 4.0.52026-04-15
CVE-2026-33808 [CRITICAL] CWE-436 CVE-2026-33808: Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express mid
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter
nvd
CVE-2026-33807P3CRITICALCVSS 9.1fixed in 4.0.52026-04-15
CVE-2026-33807 [CRITICAL] CWE-436 CVE-2026-33807: @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that cau
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This resu
nvd