CVE-2026-33807

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5

Description A path handling bug in the onRegister() function causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix matching a middleware path, the path is prefixed a second time, preventing it from matching incoming requests. This leads to a complete bypass of Express middleware security controls, such as authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes.

Recommendations Upgrade to version 4.0.5 or later.