PatchSiren cyber security CVE debrief
CVE-2026-33807 fastify CVE debrief
A critical path-handling vulnerability in @fastify/express versions 4.0.4 and earlier allows complete bypass of Express middleware security controls in child plugin scopes. The flaw resides in the `onRegister` function, which incorrectly doubles middleware paths when they are inherited by child plugins. When a child plugin is registered with a prefix that matches an existing middleware path, the middleware path receives the prefix a second time, rendering it non-matching for all incoming requests within that scope. This causes authentication, authorization, and rate-limiting middleware to be silently skipped without requiring special configuration or crafted requests. The vulnerability was published in the NVD on 15 April 2026 and last modified on 1 June 2026. The OpenJS Foundation CNA and Fastify maintainers have confirmed the issue and released a patched version.
- Vendor
- fastify
- Product
- @fastify/express
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-15
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-04-15
- Advisory updated
- 2026-06-01
Who should care
Organizations running Node.js applications with @fastify/express ≤4.0.4 that rely on Express middleware for security boundaries in nested or prefixed plugin architectures. This includes applications using express-session, passport, express-rate-limit, or custom authentication/authorization middleware within Fastify child plugins.
Technical summary
The `onRegister` hook in @fastify/express ≤4.0.4 incorrectly concatenates plugin prefixes onto middleware paths that already contain the same prefix. When a child plugin inherits middleware from a parent scope, the middleware's path string is prefixed again with the child's prefix, producing a doubled path (e.g., `/api/api/auth`). This malformed path never matches legitimate incoming requests, so Express middleware mounted at the original path fails to execute for all routes within the affected child plugin scope. The result is a complete security control bypass with no user interaction or special request crafting required.
Defensive priority
critical
Recommended defensive actions
- Upgrade @fastify/express to version 4.0.5 or later immediately.
- Audit all child plugin registrations that use path prefixes matching middleware paths to identify potentially affected scopes.
- Verify that authentication, authorization, and rate-limiting middleware are executing correctly in child plugin routes after upgrading.
- Review application logs for unexpected middleware bypass behavior in nested plugin configurations prior to the upgrade.
- Subscribe to Fastify and OpenJS Foundation security advisories for future vulnerability notifications.
Evidence notes
The vulnerability description and affected versions are sourced from the official NVD record. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and score of 9.1 are taken from NVD metadata. The CWE-436 classification is attributed to the OpenJS Foundation CNA reference. Vendor advisory and mitigation details are confirmed through GitHub Security Advisory GHSA-hrwm-hgmj-7p9c. The fix version 4.0.5 is explicitly stated in the CVE description and vendor advisory.
Official resources
-
CVE-2026-33807 CVE record
CVE.org
-
CVE-2026-33807 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Exploit, Mitigation, Vendor Advisory
2026-04-15T10:16:48.310Z