CVE-2026-22037
Published: 19 January 2026
Summary
CVE-2026-22037 is a high-severity Hex Encoding (CWE-177) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the flaw in @fastify/express prior to version 4.0.3 directly prevents the middleware path matching bypass via URL-encoded characters.
Enforcing approved authorizations ensures middleware correctly matches and applies access controls to decoded URL paths, blocking the bypass vulnerability.
Validating URL path inputs for consistency in decoding and format prevents mismatches between middleware and router path handling that enable the bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authentication/authorization bypass in public-facing web middleware via path encoding mismatch enables exploitation of the application for unauthorized endpoint access.
NVD Description
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the…
more
middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
Deeper analysisAI
CVE-2026-22037 is a security vulnerability in the @fastify/express plugin, which provides full Express compatibility to Fastify, affecting versions prior to 4.0.3. The issue allows middleware registered with a specific path prefix to be bypassed by using URL-encoded characters in requests, such as `/%61dmin` instead of `/admin`. The @fastify/express middleware engine fails to match the encoded path and skips execution, while the underlying Fastify router correctly decodes the path, matches the route handler, and processes the request. This mismatch arises from how @fastify/express handles path matching for middleware. The vulnerability is rated with a CVSS v3.1 base score of 8.4 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L) and is associated with CWE-177 (Incorrect Behavior Order: Early Validation) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It is similar to but distinct from CVE-2026-22031 due to differences in the affected npm module.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by crafting requests with URL-encoded paths that evade middleware checks, such as authentication or authorization constraints, while still reaching the intended Fastify route handler. Exploitation requires high attack complexity (AC:H) but no user interaction (UI:N), enabling scope change (S:C) with high confidentiality and integrity impacts (C:H/I:H) and low availability impact (A:L). Successful exploitation grants unauthorized access to protected endpoints that would otherwise be restricted by the bypassed middleware.
The GitHub security advisory (GHSA-g6q3-96cp-5r5m) and the patching commit (dc02a3fe1387f945143f22597baa42557d549a40) confirm that version 4.0.3 of @fastify/express addresses the issue by fixing the path matching logic in the middleware engine. Security practitioners should upgrade to @fastify/express 4.0.3 or later to mitigate the vulnerability.
Details
- CWE(s)