External risk intelligence

@fastify/express Middleware Path Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-6556

The vulnerability affects a middleware plugin for a web framework used to build web applications and APIs. Since these components are commonly deployed as internet-facing services to handle web requests, authentication, and authorization, the vulnerable code is frequently exposed to the public internet.

Fastify\/express

before 4.0.7

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in the `@fastify/express` middleware for Node.js applications. When certain types of paths are used to mount middleware within prefixed plugin scopes, an attacker could bypass security controls like authentication or authorization checks. The primary concern is confirming whether this specific middleware configuration is in use within your applications.

  • Middleware bypass possible on prefixed routes.
  • Security controls could be circumvented by attackers.
  • Confirm if this middleware configuration is used.

Attack Path

How an attacker could exploit the issue

An attacker could bypass security middleware like authentication or authorization by sending a request to a prefixed route. This bypass occurs because the @fastify/express plugin incorrectly handles non-string path arguments for middleware, causing the middleware to be skipped even when the route is matched. This could allow unauthorized access to application features.

  • No authentication or privileges required.
  • Middleware skips on prefixed routes.
  • Bypasses security controls.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow attackers to bypass middleware protections like authentication or authorization when accessing routes within a prefixed plugin scope. This occurs when non-string path arguments, such as arrays or regular expressions, are used for middleware mounting within these prefixed scopes. Applications relying on these middleware for security controls on their prefixed routes may be vulnerable to bypass.

  • Authentication and authorization middleware at risk.
  • Bypass occurs via specially crafted requests.
  • Unprotected access to sensitive routes.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world impact likely falls to application owners and platform teams responsible for web services, with the initial step being to identify all instances of the affected middleware, confirm their exposure and criticality, and then assign ownership for remediation.

  • Application owners should own the issue.
  • Verify middleware configuration and exposure.
  • Plan upgrades during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is @fastify/express?

@fastify/express is a plugin for the Fastify web framework for Node.js. It allows developers to use Express.js-style middleware within Fastify applications. This is commonly used to add functionality like authentication, logging, or rate limiting to web services and APIs. Because it bridges two popular ecosystems, it is frequently found in web applications that require compatibility with existing Express middleware while leveraging Fastify's performance.

What is the security weakness in CVE-2026-6556?

This vulnerability is classified as CWE-285, which relates to improper authorization. It occurs because the plugin fails to correctly apply prefix paths when middleware is mounted using arrays or regular expressions. As a result, the application treats the request as valid but skips the security checks that should have protected that specific route, effectively allowing unauthorized access to protected features.

How can an attacker trigger this bypass?

An attacker triggers this by sending a request to a route that sits inside a prefixed plugin scope where middleware is mounted using non-string paths. The bypass does not occur if the middleware is mounted using a simple string path, nor does it happen if the route is not part of a prefixed plugin scope. The vulnerability specifically exists where complex path types cause the routing logic to mismatch the middleware, leaving the protected resource unguarded.

Is my application vulnerable to this middleware bypass?

If you use @fastify/express to manage security controls like authentication or authorization on your routes, you should investigate your configuration. Halo Surface Signal notes that since this component is often used in internet-facing web services to handle incoming requests, it is likely that the affected code is exposed to the public internet, making it a priority to check if your application relies on non-string path arguments for middleware mounting.

How do I secure my application against this?

The most effective way to resolve this is to upgrade to @fastify/express version 4.0.7 or later, which corrects how these paths are handled. If an immediate upgrade is not possible, you can temporarily mitigate the risk by ensuring all middleware mount paths are defined as simple strings instead of arrays or regular expressions, or by registering each path individually with its own middleware call.

References