CVE-2026-22037
Unknown Unknown - Not Provided
Path Traversal Bypass in @fastify/express Middleware Prior to

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22037
EUVD
EUVD-2026-3320
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify express to 4.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-177 The product does not properly handle when all or part of an input has been URL encoded.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the @fastify/express plugin before version 4.0.3, where middleware registered with a specific path prefix can be bypassed by using URL-encoded characters in the path (e.g., '/%61dmin' instead of '/admin'). The middleware engine fails to decode and match the encoded path, so it skips executing the middleware, but the underlying Fastify router correctly decodes the path and matches the route handler. This allows attackers to access protected endpoints without the middleware constraints, effectively bypassing protections like authentication or access controls. [2]

Impact Analysis

This vulnerability can allow attackers to bypass middleware protections such as authentication or access controls by using URL-encoded paths. As a result, attackers can gain unauthorized access to protected endpoints, leading to high confidentiality and integrity loss. The availability impact is low, but the unauthorized access can expose sensitive data or allow unauthorized actions within the application. [2]

Detection Guidance

You can detect this vulnerability by testing if middleware protections on your Fastify application using @fastify/express are bypassed when accessing URL-encoded paths. For example, if you have middleware protecting the path '/admin', try accessing '/%61dmin' (where '%61' is the URL-encoded 'a'). If the middleware is bypassed and the route handler responds normally, your system is vulnerable. A practical test command using curl would be: curl -i http://yourserver/%61dmin and compare it to curl -i http://yourserver/admin to see if middleware is enforced differently. [2]

Mitigation Strategies

The immediate mitigation is to upgrade the @fastify/express package to version 4.0.3 or later, where the vulnerability is patched. The fix involves decoding URL paths before middleware matching to prevent bypass via URL-encoded characters. Applying this update ensures middleware protections correctly match encoded paths and block unauthorized access. [1, 2]

Compliance Impact

This vulnerability allows attackers to bypass middleware protections and access protected endpoints without proper authentication or access controls, leading to high confidentiality and integrity loss. Such unauthorized access to sensitive data or systems can result in non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart