VYPR

npm package

@fastify/express

pkg:npm/%40fastify/express

Vulnerabilities (3)

  • CVE-2026-33808CriApr 15, 2026
    affected < 4.0.5fixed 4.0.5

    Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashe

  • CVE-2026-33807CriApr 15, 2026
    affected < 4.0.5fixed 4.0.5

    @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed

  • CVE-2026-22037HigJan 19, 2026
    affected < 4.0.3fixed 4.0.3

    The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/a