Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability resides in `@fastify/express` v4.0.4, specifically in the `onRegister` function (index.js lines 92-101). When a child plugin registers with a prefix, the hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in `kMiddlewares` are already prefixed from their original registration.
Example flow:
- Parent registers
app.use('/admin', authFn). The `use()` function calculates path as `” + ‘/admin’ = ‘/admin’` and stores['/admin', authFn]. - Child registers with
{ prefix: '/admin' }, triggeringonRegister(instance).
3. `onRegister` copies parent middleware and calls `instance.use(‘/admin’, authFn)` on the child. - Child’s `use()` function recalculates path as
'/admin' + '/admin' = '/admin/admin', registering middleware under the doubled path. - Routes in child scope (e.g.,
/admin/secret) use the child’s Express instance, but the middleware is now mounted at `/admin/admin` – requests to `/admin/secret` never match, so middleware is silently skipped.
Root cause: the `use()` function (lines 25-26) always prepends `this.prefix` to string paths, combined with `onRegister` re-calling `use()` with already-prefixed paths. No special configuration or request crafting is required; default Fastify setups are affected.
dailycve form:
Platform: Fastify
Version: 5.x
Vulnerability: Middleware path doubling
Severity: Critical
date: 2024-XX-XX
Prediction: Patch within 14 days
What Undercode Say:
Check vulnerable version npm list @fastify/express Expected output: @fastify/[email protected] Reproduce bypass (PoC from ) node poc.js Output shows 403 for root, 200 for child (bypass) Monitor child plugin registrations grep -r "register.prefix" ./routes/
how Exploit:
Send normal HTTP request to child-scoped route (e.g., GET /admin/secret). No auth headers needed. Request reaches child Express instance where middleware is mounted on `/admin/admin` instead of /admin, so middleware never executes. Attacker gains unauthorized access to all routes in any child plugin whose prefix overlaps with parent middleware path.
Protection from this CVE
Upgrade to patched version (once available). Temporary workaround: avoid path-scoped middleware on parent when using child plugins with same prefix, or use global middleware (path /) which is not affected due to special case handling. Alternative: manually re-apply middleware inside each child plugin.
Impact:
Complete bypass of authentication, authorization, rate limiting, CSRF protection, audit logging, and any middleware-based security for all routes in child plugin scopes. Silent failure – no errors or warnings. Affects idiomatic Fastify plugin patterns in production.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

