CVE-2026-22037 Overview
A security vulnerability exists in the @fastify/express plugin that allows attackers to bypass middleware authentication and authorization controls through URL-encoded path traversal. The @fastify/express plugin provides full Express compatibility to Fastify applications, but versions prior to 4.0.3 contain a path matching flaw that enables unauthorized access to protected endpoints.
The vulnerability arises from a mismatch between how the middleware engine and the underlying Fastify router handle URL-encoded paths. When middleware is registered with a specific path prefix (e.g., /admin), attackers can bypass these security controls by using URL-encoded equivalents (e.g., /%61dmin). The middleware engine fails to match the encoded path and skips execution, while Fastify correctly decodes and routes the request to the protected handler.
Critical Impact
Attackers can bypass authentication middleware and access control mechanisms to reach protected API endpoints without authorization, potentially exposing sensitive data and functionality.
Affected Products
- @fastify/express versions prior to 4.0.3
- Fastify applications using @fastify/express middleware for path-based access control
- Node.js applications with Express middleware compatibility layers
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-22037 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-22037
Vulnerability Analysis
This authorization bypass vulnerability (CWE-177: Improper Handling of URL Encoding) stems from inconsistent path normalization between the middleware matching layer and the Fastify routing engine. When security-critical middleware is registered on a path prefix, the application expects all requests to that path to pass through the middleware before reaching the route handler.
The vulnerability enables a complete bypass of middleware-based security controls. In typical deployments, this could mean bypassing authentication checks, authorization policies, rate limiting, input validation, or audit logging that administrators believed were protecting specific routes.
This vulnerability is similar to CVE-2026-22031 but affects a different npm module with its own codebase. Organizations using @fastify/express for middleware compatibility should treat this as a distinct vulnerability requiring separate remediation.
Root Cause
The root cause lies in how @fastify/express matches incoming request paths against registered middleware paths. The middleware matching logic compares paths without first decoding URL-encoded characters, while the Fastify router performs proper URL decoding before route matching.
This creates a security gap where:
- A request to /%61dmin/sensitive is not recognized as matching the /admin middleware prefix
- The middleware is skipped entirely
- Fastify decodes the path to /admin/sensitive and routes to the protected handler
- The handler executes without the expected middleware protections
Attack Vector
The attack exploits the network-accessible nature of web applications. An attacker with low privileges can craft HTTP requests containing URL-encoded path segments to bypass middleware restrictions. The attack requires no user interaction and can affect resources beyond the vulnerable component's scope.
An attacker identifies a protected endpoint (e.g., /admin/users) and replaces characters with their URL-encoded equivalents. Common encoding substitutions include %61 for a, %64 for d, or %2f for /. The request bypasses middleware but reaches the intended route handler.
const fp = require('fastify-plugin')
const Express = require('express')
+const FindMyWay = require('find-my-way')
const kMiddlewares = Symbol('fastify-express-middlewares')
function fastifyExpress (fastify, options, next) {
Source: GitHub Commit Change
The patch introduces find-my-way to properly decode paths before matching against registered middleware, ensuring consistent path handling between the middleware layer and router.
Detection Methods for CVE-2026-22037
Indicators of Compromise
- HTTP access logs containing URL-encoded characters in path segments that would normally be alphanumeric (e.g., /%61dmin, /%75ser, /%61pi)
- Requests to protected endpoints that lack corresponding middleware execution logs
- Authentication or authorization middleware logs showing gaps where protected routes were accessed
- Unusual access patterns to administrative or sensitive API endpoints from unauthorized sources
Detection Strategies
- Implement web application firewall (WAF) rules to detect and alert on excessive URL encoding in path segments
- Configure application logging to capture both raw and decoded request paths for comparison analysis
- Deploy anomaly detection for access to protected routes that bypasses expected middleware execution flow
- Monitor for requests containing double-encoding or unusual character substitutions in URI paths
Monitoring Recommendations
- Enable verbose logging in @fastify/express to track middleware execution per request
- Implement request correlation to verify middleware execution for all protected route accesses
- Set up alerts for any access to administrative endpoints that doesn't include expected authentication headers or session tokens
- Review access logs for patterns of encoded path requests targeting known protected prefixes
How to Mitigate CVE-2026-22037
Immediate Actions Required
- Upgrade @fastify/express to version 4.0.3 or later immediately
- Audit all middleware registrations to identify security-critical path-based middleware
- Review access logs for evidence of exploitation attempts using URL-encoded path bypasses
- Consider implementing additional authorization checks at the route handler level as defense-in-depth
Patch Information
The vulnerability is resolved in @fastify/express version 4.0.3. The fix introduces the find-my-way library to properly decode request paths before matching against registered middleware paths. This ensures consistent path handling between middleware matching and route resolution.
Organizations should update their package.json dependencies and run npm update @fastify/express or yarn upgrade @fastify/express to obtain the patched version. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement authorization checks directly in route handlers rather than relying solely on path-based middleware
- Deploy a reverse proxy or WAF that normalizes URL-encoded paths before forwarding requests to the application
- Add custom middleware at the application root that decodes and re-encodes paths consistently before processing
- Temporarily disable access to sensitive endpoints until the patch can be applied
# Upgrade @fastify/express to patched version
npm install @fastify/express@4.0.3
# Verify installed version
npm list @fastify/express
# For yarn users
yarn add @fastify/express@4.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
