HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-6556Published Modified CNA openjs

CVE-2026-6556: @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
4.0.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in @fastify/express versions 4.0.6 and earlier. The flaw is reachable over the network without any credentials, because @fastify/express fails to rewrite non-string middleware mount paths (arrays and regular expressions) when used inside prefixed plugin scopes, causing security middleware such as authentication, authorization, rate limiting, and auditing layers to be silently skipped while Fastify continues routing the request normally. Successful exploitation allows an unauthenticated remote attacker to read protected resources and tamper with data that the bypassed middleware was meant to guard. A patched-image rebuild at version 4.0.7 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle @fastify/express, across all connected registries and CI pipelines.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 (Critical) and applying per-environment compliance policy weighting to prioritize it appropriately. Triage routing is available to direct the alert to the correct team or inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at @fastify/express 4.0.7 becomes available on HarborGuard as soon as the fix version is confirmed for an affected image. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the prefixed route without any prior foothold on the host.

  • AuthenticationNot required

    No credentials are needed; the bypass works precisely because the middleware responsible for enforcing authentication is skipped before any identity check occurs.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker sends the request directly and the bypass takes effect immediately.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker only needs to know a prefixed route path, and no race conditions or special memory layout are involved.

Blast Radius

  • Reads data from routes protected by the bypassed middleware, including session tokens, user records, or any resource the authorization layer was meant to restrict.
  • Modifies or writes data on prefixed routes where the bypassed middleware enforced write authorization or input validation controls.
  • Bypasses rate-limiting middleware, enabling high-volume scraping or brute-force attempts against otherwise throttled endpoints.
  • Evades auditing and logging middleware, leaving no trace in audit logs for actions taken on affected routes.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against all images containing @fastify/express below 4.0.7 within minutes of CVE publication, covering both upstream base images and internally built images. Where compliance policy permits, a rebuilt image at version 4.0.7 is staged automatically. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; for Critical-severity findings, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. As a compensating control while a patch is applied, customers can register middleware using string mount paths instead of arrays or regular expressions inside prefixed plugin scopes, or split each path into a separate use call, to ensure the middleware path rewriting logic is triggered correctly.

See how HarborGuard automates this

Fix available

4.0.7
Affected packages
  • @fastify/express / @fastify/express
    < 4.0.7 (from 0)
    Fixed in 4.0.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References