CRITICAL🇬🇧 English

CVE-2026-6556

CVSS 9.1v3.1pub. 2026-06-30upd. 2026-07-01

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms does not match the actual prefixed request path. Applications that use path-scoped middleware for authentication, authorization, rate limiting, or auditing on routes inside a prefixed scope can be bypassed by sending a request to the prefixed route, because Fastify still matches the route but the middleware is skipped. Patches: upgrade to @fastify/express 4.0.7. Workarounds: use string mount paths instead of arrays or regular expressions in prefixed plugins, or register one use call per path.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Fastify Fastify\/express

    APP
    Fastify
    < 4.0.7
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-33807CRITICAL9.1PL ✓ten sam produkt

Pominięcie middleware security w @fastify/express — bypass uwierzytelniania

CVE-2026-33808CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w @fastify/express via znormalizowane URL

CVE-2026-14198CRITICAL9.1ten sam vendor

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before ...

CVE-2026-6270CRITICAL9.1PL ✓ten sam vendor

Pominięcie uwierzytelnienia w @fastify/middie — brak dziedziczenia middleware

CVE-2026-33805CRITICAL9.0PL ✓ten sam vendor

Usuwanie nagłówków proxy przez manipulację nagłówkiem Connection w @fastify/reply-from