CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

CVE-2026-6556

The CVE concerns @fastify/express 4.0.6 and earlier, where non-string mount paths (arrays/regex) are not prefixed inside prefixed plugin scopes. This causes middleware registered with those forms to not match the actual prefixed request path, potentially bypassing path-scoped security middleware ...