The vulnerability CVE-2026-22037 affects the @fastify/express plugin, which integrates Express middleware compatibility into the Fastify web framework. The core issue is an improper handling of URL-encoded characters during middleware path matching. Specifically, when middleware is registered with a path prefix (e.g., /admin), the matching logic in @fastify/express does not decode URL-encoded characters before matching. For example, an attacker can use /%61dmin (where %61 is the ASCII hex code for 'a') to bypass middleware checks because the middleware matching fails to recognize this encoded path as /admin and thus does not execute the middleware. However, the Fastify router underneath correctly decodes the path and matches the route handler, allowing the request to reach protected endpoints without the middleware's intended constraints. This discrepancy leads to a bypass of middleware protections, potentially exposing sensitive routes to unauthorized users. The vulnerability is categorized under CWE-177 (Improper Handling of URL Encoding) and CWE-288 (Authentication Bypass Using an Alternate Path). It differs from a similar vulnerability (CVE-2026-22031) in another npm module, as it affects a distinct codebase. The vulnerability affects all versions of @fastify/express prior to 4.0.3, which contains the patch. The CVSS v3.1 score is 8.4 (High), reflecting network attack vector, high impact on confidentiality and integrity, low privileges required, no user interaction, and a scope change. No known exploits have been reported in the wild as of the publication date. The vulnerability could be exploited remotely by sending specially crafted requests with URL-encoded paths to bypass middleware protections and access sensitive endpoints.

For European organizations, this vulnerability poses a significant risk to web applications built on Fastify using the @fastify/express plugin, particularly those that rely on middleware for authentication, authorization, or other security controls. Attackers can bypass middleware protections by exploiting URL encoding discrepancies, potentially gaining unauthorized access to sensitive data or functionality. This can lead to data breaches, unauthorized operations, and compromise of application integrity. Given the widespread adoption of Node.js frameworks in Europe’s tech sector, especially in fintech, e-commerce, and public services, the impact could be substantial. Organizations handling personal data under GDPR may face compliance violations if unauthorized access leads to data exposure. The vulnerability's network-based attack vector and lack of user interaction requirements make it easier to exploit remotely, increasing the threat surface. Additionally, the scope change in the CVSS score indicates that the vulnerability affects components beyond the initially targeted middleware, potentially impacting multiple routes and services within an application.

1. Upgrade all instances of @fastify/express to version 4.0.3 or later immediately to apply the official patch. 2. Conduct a thorough audit of middleware path configurations to identify any reliance on path matching that could be bypassed via URL encoding. 3. Implement additional validation or normalization of incoming request paths at the application or proxy level to ensure consistent decoding before middleware processing. 4. Use security testing tools to simulate URL-encoded path attacks against your applications to verify middleware protections. 5. Monitor application logs for unusual access patterns involving URL-encoded paths that could indicate exploitation attempts. 6. Educate development teams about the risks of relying solely on middleware path matching for security controls and encourage defense-in-depth strategies. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block suspicious URL-encoded requests targeting sensitive endpoints. 8. Review and update incident response plans to include scenarios involving middleware bypass vulnerabilities.