CVE-2026-22037: @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.
References
- github.com/advisories/GHSA-g6q3-96cp-5r5m
- github.com/fastify/fastify-express
- github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40
- github.com/fastify/fastify-express/releases/tag/v4.0.3
- github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m
- nvd.nist.gov/vuln/detail/CVE-2026-22037
Code Behaviors & Features
Detect and mitigate CVE-2026-22037 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →