Fastify Express plugin patches middleware path-doubling auth bypass
TL;DR — A path-handling bug in @fastify/express can completely skip Express middleware (authn/authz/rate limiting) for routes registered under certain child plugin prefixes.
What happened
@fastify/express is a Fastify plugin that provides Express compatibility by letting Fastify apps run Express-style middleware.
CVE-2026-33807 reports a critical middleware bypass caused by a path handling bug in the plugin’s onRegister logic: middleware paths can be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path gets prefixed a second time, causing it to never match incoming requests. The result is complete bypass of Express middleware security controls (explicitly called out: authentication, authorization, and rate limiting) for all routes defined within affected child plugin scopes.
| Item | Source value |
|---|---|
| Weakness | CWE-436 (Interpretation Conflict) |
| Severity | CVSS v3.1 9.1 (Critical) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Why this matters: middleware-based security controls are often treated as “global guardrails.” Any bug that causes middleware to silently stop matching routes turns into an application-layer access control failure with high blast radius in real-world service plugin architectures.
Who is impacted
- Applications using
@fastify/expresswhere Express middleware is relied on for security controls (authn/authz, rate limiting). - Deployments that register child plugins with prefixes that interact with middleware paths (the advisory notes bypass occurs within affected child plugin scopes).
| Package | Affected | Patched |
|---|---|---|
@fastify/express | < 4.0.5 | 4.0.5 |
The CVE states no special configuration or request crafting is required for exploitation.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Upgrade to @fastify/express v4.0.5 or later."
- Inventory services using
@fastify/expressand identify where Express middleware is used as a primary enforcement point for authentication, authorization, and throttling. - Treat this as an access-control regression risk: add automated tests that assert middleware is actually invoked for all routes under child plugin prefixes (including routes introduced by third-party plugins).
- If compromise is suspected, review access logs for unexpected access to routes that are normally protected by Express middleware and rotate credentials reachable from the affected service runtime.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.