CVE-2026-33807— @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33807
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
Source: NVD (National Vulnerability Database)
Vulnerability Description
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
解释冲突
Source: NVD (National Vulnerability Database)
Vulnerability Title
@fastify/express 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
@fastify/express是Fastify开源的一个兼容性插件。 @fastify/express 4.0.4及之前版本存在安全漏洞,该漏洞源于onRegister函数中的路径处理错误导致中间件路径在被子插件继承时被重复添加,可能导致完全绕过Express中间件安全控制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| fastify | @fastify/express | 0 ~ 4.0.5 | - |
II. Public POCs for CVE-2026-33807
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33807
请登录查看更多情报信息。
Same Patch Batch · fastify · 2026-04-15 · 3 CVEs total
| CVE-2026-33806 | 7.5 HIGH | fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Head |
| CVE-2026-33808 | @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps |
IV. Related Vulnerabilities
Same vendor: fastify
- CVE-2026-33808
@fastify/express vulnerable to middleware authentication byp - CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3635
Fastify request.protocol and request.host spoofable via X-Fo - CVE-2026-3419
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malf - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali
Same weakness: CWE-436
- CVE-2026-42273
Heimdall: Case-sensitive host matching may lead to policy by - CVE-2026-42272
Heimdall: Case-sensitive handling of URL-encoded slashes may - CVE-2026-30246
github.com/gofiber/fiber/v3 cache middleware can mix respons - CVE-2026-6322
fast-uri vulnerable to host confusion via percent-encoded au - CVE-2026-41248
Official Clerk JavaScript SDKs: Middleware-based route prot
V. Comments for CVE-2026-33807
No comments yet