CVE-2026-22037
📋 TL;DR
The @fastify/express plugin vulnerability allows attackers to bypass middleware protection by using URL-encoded characters in paths. This affects applications using @fastify/express versions before 4.0.3 that rely on path-based middleware for security controls like authentication or authorization.
💻 Affected Systems
- @fastify/express (fastify-express)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can access protected administrative endpoints, sensitive data, or perform unauthorized actions by bypassing authentication/authorization middleware.
Likely Case
Unauthorized access to protected routes that should require authentication or specific permissions.
If Mitigated
Limited impact if additional security layers exist beyond path-based middleware, or if affected endpoints don't expose sensitive functionality.
🎯 Exploit Status
Exploitation requires only URL manipulation with encoded characters. No special tools or deep technical knowledge needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.3
Vendor Advisory: https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m
Restart Required: Yes
Instructions:
1. Update package.json to specify @fastify/express version 4.0.3 or higher. 2. Run 'npm update @fastify/express' or 'yarn upgrade @fastify/express'. 3. Restart your application server.
🔧 Temporary Workarounds
Middleware path normalization
allAdd custom middleware to normalize URL paths before @fastify/express middleware matching
// Add this before other middleware:
fastify.addHook('onRequest', (request, reply, done) => {
request.url = decodeURIComponent(request.url);
done();
});
🧯 If You Can't Patch
- Implement additional authentication/authorization checks in route handlers, not just middleware
- Use Web Application Firewall (WAF) rules to block requests with URL-encoded characters in sensitive paths
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @fastify/express' to see if version is below 4.0.3Check Version:
npm list @fastify/express | grep @fastify/expressVerify Fix Applied:
After updating, test protected endpoints with URL-encoded paths (e.g., /%61dmin) to ensure middleware still executes📡 Detection & Monitoring
Log Indicators:
- Requests to protected paths with URL-encoded characters
- Successful access to admin/authenticated routes without auth logs
Network Indicators:
- HTTP requests with % encoded characters in path segments
- Patterns of failed auth followed by encoded path attempts
SIEM Query:
http.path:*%* AND (http.path:*admin* OR http.path:*auth* OR http.path:*api*)