CVE-2026-22037

Published: Jan 19, 2026

Modified: Jan 20, 2026

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.

Vendor	Product	Versions
fastify	fastify-express	affected `< 4.0.3`

Weaknesses (CWE)

CWE-177

CWE-288

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m

x_refsource_CONFIRM

https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-22037

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References