A critical authentication bypass vulnerability exists in @fastify/express versions 4.0.4 and earlier. When Fastify router normalization options—specifically `ignoreDuplicateSlashes` or `useSemicolonDelimiter`—are enabled, the Fastify router normalizes incoming URLs to match protected routes, but @fastify/express passes the original un-normalized URL to Express middleware. This causes path-scoped authentic [truncated]
A critical path-handling vulnerability in @fastify/express versions 4.0.4 and earlier allows complete bypass of Express middleware security controls in child plugin scopes. The flaw resides in the `onRegister` function, which incorrectly doubles middleware paths when they are inherited by child plugins. When a child plugin is registered with a prefix that matches an existing middleware path, the middlewar [truncated]
