Impact
The vulnerability exists in @fastify/express versions 4.0.6 and earlier, where middleware registered with non-string mount paths (such as arrays or regular expressions) inside prefixed plugin scopes is not prefixed. As a result, requests to prefixed routes match the route but the intended middleware never executes, effectively bypassing authentication, authorization, rate limiting, or auditing logic. This represents a high severity flaw because it can grant attackers access to protected resources without proper checks.
Affected Systems
The affected package is @fastify/express, specifically all releases 4.0.6 and earlier. Applications that use prefixed plugins with non-string mount paths for middleware are at risk.
Risk and Exploitability
The CVSS score is 9.1, indicating critical severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, but it is still a critical flaw. A remote attacker can trigger the bypass by sending a standard HTTP request to a prefixed route; the attack does not require elevated privileges or special conditions, making it highly exploitable.
OpenCVE Enrichment