The vulnerability CVE-2026-22037 affects the @fastify/express plugin, which integrates Express middleware compatibility into the Fastify web framework. The core issue lies in how the plugin matches incoming request paths against registered middleware paths. Specifically, when a middleware is registered with a path prefix (e.g., /admin), the plugin’s matching logic does not properly decode URL-encoded characters in the request path before matching. For example, an attacker can request /%61dmin (where %61 is the ASCII hex code for 'a'), which the middleware matching logic fails to recognize as /admin, causing it to skip middleware execution. However, the underlying Fastify router correctly decodes the path and matches the route handler for /admin, allowing the request to reach protected endpoints without passing through the middleware that enforces security controls such as authentication or authorization. This discrepancy creates a bypass scenario where middleware protections are circumvented. The vulnerability is classified under CWE-177 (Improper Handling of URL Encoding) and CWE-288 (Authentication Bypass Using an Alternate Path). It affects all versions of @fastify/express prior to 4.0.3, which contains the fix. The CVSS v3.1 score is 8.4 (High), reflecting network attack vector, low privileges required, no user interaction, and a scope change with high confidentiality and integrity impact and low availability impact. No public exploits are known yet, but the vulnerability’s nature makes it a serious risk for web applications relying on this plugin for middleware enforcement.

For European organizations, this vulnerability poses a significant risk to web applications built with Fastify and the @fastify/express plugin. Attackers can bypass critical middleware protections such as authentication, authorization, logging, or input validation by exploiting URL-encoded path bypasses. This can lead to unauthorized data access, privilege escalation, and potential data breaches impacting confidentiality and integrity of sensitive information. The availability impact is low but could increase if attackers leverage this access to deploy further exploits. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) face regulatory and reputational risks if exploited. The vulnerability’s network attack vector and no user interaction requirement mean it can be exploited remotely and at scale, increasing the threat surface. Given the widespread use of Node.js and Fastify in European tech ecosystems, especially in countries with advanced digital infrastructure, the impact can be substantial without timely mitigation.

1. Upgrade all instances of @fastify/express to version 4.0.3 or later immediately to apply the official patch addressing the URL encoding bypass. 2. Conduct a thorough audit of middleware path registrations to identify any sensitive routes protected by middleware that could be bypassed via encoded paths. 3. Implement additional request validation or normalization layers before middleware matching to decode and sanitize URL paths, ensuring consistent matching behavior. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious URL-encoded requests targeting sensitive endpoints. 5. Monitor application logs for unusual access patterns involving encoded URLs that could indicate exploitation attempts. 6. Educate development teams about secure middleware configuration and the risks of relying solely on path-based middleware protections. 7. Consider defense-in-depth by enforcing authentication and authorization checks within route handlers themselves, not only in middleware. 8. Regularly update dependencies and monitor vulnerability disclosures related to Fastify and its plugins.