@fastify/express

npm3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @fastify/expresspage 1 of 1

CVE-2026-22037HIGHCVSS 8.4EG 8.4✓ Fixed in 4.0.3
2026-01-19
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded ch…
CVE-2026-33807CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.0.5
2026-04-15
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middlewa…
CVE-2026-33808CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.0.5
2026-04-15
Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via dup…

Check whether @fastify/express is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @fastify/express CVEs against the assets you own.

Start Free Scan →