@fastify/express, Middleware Path Handling Bug, CVE-2024-XXXX (Critical)

Listen to this Post

How the mentioned CVE works (around 20 lines):

The vulnerability resides in `@fastify/express` v4.0.4, specifically in the `onRegister` function (index.js lines 92-101). When a child plugin registers with a prefix, the hook copies middleware from the parent scope and re-registers it using instance.use(...middleware). However, the middleware paths stored in `kMiddlewares` are already prefixed from their original registration.

Example flow:

  1. Parent registers app.use('/admin', authFn). The `use()` function calculates path as `” + ‘/admin’ = ‘/admin’` and stores ['/admin', authFn].
  2. Child registers with { prefix: '/admin' }, triggering onRegister(instance).
    3. `onRegister` copies parent middleware and calls `instance.use(‘/admin’, authFn)` on the child.
  3. Child’s `use()` function recalculates path as '/admin' + '/admin' = '/admin/admin', registering middleware under the doubled path.
  4. Routes in child scope (e.g., /admin/secret) use the child’s Express instance, but the middleware is now mounted at `/admin/admin` – requests to `/admin/secret` never match, so middleware is silently skipped.
    Root cause: the `use()` function (lines 25-26) always prepends `this.prefix` to string paths, combined with `onRegister` re-calling `use()` with already-prefixed paths. No special configuration or request crafting is required; default Fastify setups are affected.

dailycve form:

Platform: Fastify
Version: 5.x
Vulnerability: Middleware path doubling
Severity: Critical
date: 2024-XX-XX

Prediction: Patch within 14 days

What Undercode Say:

Check vulnerable version
npm list @fastify/express
Expected output: @fastify/[email protected]
Reproduce bypass (PoC from )
node poc.js
Output shows 403 for root, 200 for child (bypass)
Monitor child plugin registrations
grep -r "register.prefix" ./routes/

how Exploit:

Send normal HTTP request to child-scoped route (e.g., GET /admin/secret). No auth headers needed. Request reaches child Express instance where middleware is mounted on `/admin/admin` instead of /admin, so middleware never executes. Attacker gains unauthorized access to all routes in any child plugin whose prefix overlaps with parent middleware path.

Protection from this CVE

Upgrade to patched version (once available). Temporary workaround: avoid path-scoped middleware on parent when using child plugins with same prefix, or use global middleware (path /) which is not affected due to special case handling. Alternative: manually re-apply middleware inside each child plugin.

Impact:

Complete bypass of authentication, authorization, rate limiting, CSRF protection, audit logging, and any middleware-based security for all routes in child plugin scopes. Silent failure – no errors or warnings. Affects idiomatic Fastify plugin patterns in production.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top