CVE-2026-22037
Path Traversal Bypass in @fastify/express Middleware Prior to
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | express | to 4.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-177 | The product does not properly handle when all or part of an input has been URL encoded. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the @fastify/express plugin before version 4.0.3, where middleware registered with a specific path prefix can be bypassed by using URL-encoded characters in the path (e.g., '/%61dmin' instead of '/admin'). The middleware engine fails to decode and match the encoded path, so it skips executing the middleware, but the underlying Fastify router correctly decodes the path and matches the route handler. This allows attackers to access protected endpoints without the middleware constraints, effectively bypassing protections like authentication or access controls. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass middleware protections such as authentication or access controls by using URL-encoded paths. As a result, attackers can gain unauthorized access to protected endpoints, leading to high confidentiality and integrity loss. The availability impact is low, but the unauthorized access can expose sensitive data or allow unauthorized actions within the application. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing if middleware protections on your Fastify application using @fastify/express are bypassed when accessing URL-encoded paths. For example, if you have middleware protecting the path '/admin', try accessing '/%61dmin' (where '%61' is the URL-encoded 'a'). If the middleware is bypassed and the route handler responds normally, your system is vulnerable. A practical test command using curl would be: curl -i http://yourserver/%61dmin and compare it to curl -i http://yourserver/admin to see if middleware is enforced differently. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade the @fastify/express package to version 4.0.3 or later, where the vulnerability is patched. The fix involves decoding URL paths before middleware matching to prevent bypass via URL-encoded characters. Applying this update ensures middleware protections correctly match encoded paths and block unauthorized access. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass middleware protections and access protected endpoints without proper authentication or access controls, leading to high confidentiality and integrity loss. Such unauthorized access to sensitive data or systems can result in non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. [2]