{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33807", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T09:52:26.838Z", "dateUpdated": "2026-04-15T13:09:45.259Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:55:50.627Z"}, "title": "@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "affected": [{"vendor": "fastify", "product": "@fastify/express", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "unaffected", "version": "4.0.5", "versionType": "semver"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/express"}], "descriptions": [{"lang": "en", "value": "@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.\n\nUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<h3><span><span>@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.<br></span><span><br>Upgrade to @fastify/express v4.0.5 or later.</span></span></h3>"}]}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "FredKSchott", "type": "reporter"}, {"lang": "en", "value": "mcollina", "type": "remediation developer"}, {"lang": "en", "value": "UlisesGascon", "type": "remediation reviewer"}, {"lang": "en", "value": "climba03003", "type": "remediation reviewer"}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:09:41.621709Z", "id": "CVE-2026-33807", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:09:45.259Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33807", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:09:41.621709Z"}}}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:09:33.633Z"}}], "cna": {"title": "@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes", "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fastify", "product": "@fastify/express", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "unaffected", "version": "4.0.5", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/express", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.\n\nUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [{"type": "text/html", "value": "<h3><span><span>@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.<br></span><span><br>Upgrade to @fastify/express v4.0.5 or later.</span></span></h3>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:55:50.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33807", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:09:45.259Z", "dateReserved": "2026-03-23T19:48:48.715Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-15T09:52:26.838Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.\n\nUpgrade to @fastify/express v4.0.5 or later."}], "id": "CVE-2026-33807", "lastModified": "2026-04-15T14:16:15.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-15T10:16:48.310", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.0.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/express", "source": "cna", "vendor": "fastify"}, "product": "fastify-express", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-15T11:27:05.275305+00:00", "value": {"mitigation_remediation": ["Upgrade the @fastify/express package to version 4.0.5 or later.", "Review all child plugin registrations and modify any prefixes that match existing middleware paths to prevent double prefixing.", "Test that Express middleware security controls are operational in child plugin routes before deploying changes to production."], "summary": {"action": "Apply Patch", "impact": "Authentication and Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Any installation of @fastify/express version 4.0.4 or earlier that registers child plugins with prefixes is vulnerable. The affected vendor is fastify, and the product is the @fastify/express package. No other versions were listed as affected.", "description_and_impact": "The bug in @fastify/express causes middleware paths to be doubled when inherited by child plugins. Because the duplicated prefix prevents the middleware from matching incoming requests, all Express security controls\u2014authentication, authorization, and rate limiting\u2014are completely bypassed for routes defined within affected child plugin scopes. This results in an attacker being able to access protected routes without any credentials or restrictions.", "risk_and_exploitability": "The CVSS score is 9.1, indicating a critical level of severity. The EPSS score is not available, so exploitation probability is unknown, but the vulnerability can be exploited remotely by simply accessing the application; no special configuration or request crafting is required. The attack vector is inferred to be remote network access. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-15T13:49:14.856489+00:00", "updated": "2026-04-15T14:53:04.412595+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-express"]}