@fastify/express for Node.js all versions <= 4.0.4
Summary
This vulnerability is caused by a path handling bug in the onRegister function of @fastify/express, which causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of all Express middleware security controls, including authentication, authorization, and rate limiting. No special configuration or request crafting is required to exploit this flaw.
Remediation
Upgrade @fastify/express to version 4.0.5 or later immediately. Audit your application dependencies to confirm you are running the patched version. Test all security middleware functionality to ensure it is working correctly after the upgrade.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.