CVE-2026-33807
Fastify · @fastify/express
A path handling error in @fastify/express causes middleware security controls to be bypassed for child plugins, leaving routes exposed to unauthorized requests.
Executive summary
A path handling bug in @fastify/express versions 4.0.4 and earlier causes critical middleware, such as authentication and authorization, to be bypassed for affected child plugin routes.
Vulnerability
A logic error in the onRegister function causes middleware paths to be incorrectly prefixed when inherited by child plugins, resulting in the middleware failing to match and execute for those routes.
Business impact
This flaw effectively disables security layers such as authentication, authorization, and rate limiting for specific application routes. Given the CVSS score of 9.1, this creates a high risk of unauthorized data access and denial-of-service, as attackers can reach protected endpoints without satisfying security requirements.
Remediation
Immediate Action: Upgrade the @fastify/express package to version 4.0.5 or later.
Proactive Monitoring: Review application routes to identify those that rely on middleware and monitor server logs for unexpected access to protected endpoints.
Compensating Controls: Utilize a Web Application Firewall (WAF) to enforce access control policies at the edge, providing a layer of protection while internal application code is being updated.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The bypass of core security controls represents a critical failure in the application's defense-in-depth posture. Development and security teams should prioritize the update to version 4.0.5 to restore intended security restrictions across all plugin routes.