@fastify/express (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @fastify/express, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (3)
CVE-2026-33807 — CVSS 9.1 (critical): @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when…
CVE-2026-33808 — CVSS 9.1 (critical): Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router…
CVE-2026-22037 — CVSS 8.4 (high): The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to…