Description
@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.
Published: 2026-06-30
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in @fastify/express versions 4.0.6 and earlier, where middleware registered with non-string mount paths (such as arrays or regular expressions) inside prefixed plugin scopes is not prefixed. As a result, requests to prefixed routes match the route but the intended middleware never executes, effectively bypassing authentication, authorization, rate limiting, or auditing logic. This represents a high severity flaw because it can grant attackers access to protected resources without proper checks.

Affected Systems

The affected package is @fastify/express, specifically all releases 4.0.6 and earlier. Applications that use prefixed plugins with non-string mount paths for middleware are at risk.

Risk and Exploitability

The CVSS score is 9.1, indicating critical severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, but it is still a critical flaw. A remote attacker can trigger the bypass by sending a standard HTTP request to a prefixed route; the attack does not require elevated privileges or special conditions, making it highly exploitable.

Generated by OpenCVE AI on June 30, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @fastify/express to version 4.0.7 or later
  • Refactor middleware registrations within prefixed plugins to use string mount paths only, or register a separate use call for each path
  • Validate that authentication, authorization, rate limiting, and auditing middleware are executed for all prefixed routes after applying the fix

Generated by OpenCVE AI on June 30, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description @fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.
Title @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-30T13:30:34.905Z

Reserved: 2026-04-18T09:00:13.828Z

Link: CVE-2026-6556

cve-icon Vulnrichment

Updated: 2026-06-30T13:30:31.148Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses