CVE-2026-22031
Path Traversal Bypass in @fastify/middie Middleware Pre
Publication date: 2026-01-19
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openjsf | @fastify/middie | to 9.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-177 | The product does not properly handle when all or part of an input has been URL encoded. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22031 is a security vulnerability in the @fastify/middie middleware package where middleware registered for specific path prefixes can be bypassed by using URL-encoded characters in the request path. The middleware matches paths using regular expressions against the raw, undecoded URL (e.g., '/%61dmin'), while Fastify's internal router decodes the URL before matching routes (e.g., decoding '/%61dmin' to '/admin'). This mismatch causes the middleware to skip execution for encoded URLs, but the route handler still executes, allowing attackers to access protected endpoints without middleware protections like authentication or rate limiting. The issue is fixed in version 9.1.0 by decoding URL paths before middleware matching. [2, 4, 1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass middleware protections such as authentication, authorization, rate limiting, or IP filtering on protected routes. As a result, attackers can gain unauthorized access to sensitive or protected endpoints in applications using @fastify/middie middleware, potentially leading to data breaches, unauthorized actions, or service disruptions. The severity is high with a CVSS v3.1 base score of 8.4. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if middleware protections are bypassed when accessing URL-encoded paths. For example, if you have middleware protecting the '/admin' path, you can test access by sending requests to both '/admin' and its URL-encoded equivalent '/%61dmin'. If the request to '/admin' is blocked but the request to '/%61dmin' is allowed, the system is vulnerable. Commands to test this could include using curl or similar tools: 1. curl -i http://yourserver/admin 2. curl -i http://yourserver/%61dmin Comparing the responses will indicate if middleware is bypassed for encoded paths. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the @fastify/middie package to version 9.1.0 or later, where the vulnerability is fixed by properly decoding URL paths before matching middleware routes. This ensures that middleware protections cannot be bypassed using URL-encoded characters. Applying this update will align middleware matching with Fastify's route handling and close the bypass. [2, 4, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass middleware protections such as authentication, authorization, rate limiting, or IP filtering by exploiting improper handling of URL-encoded characters. As a result, protected endpoints can be accessed without the intended security controls, potentially leading to unauthorized access to sensitive data or systems. Such unauthorized access could cause non-compliance with common standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information. Therefore, the vulnerability poses a risk to compliance by undermining security measures designed to protect data privacy and integrity. [2, 4]