Description
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
Published: 2026-01-19
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Protected Endpoints
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the @fastify/express plugin allows an attacker to bypass middleware that protects certain paths by sending URL‑encoded characters that the middleware engine does not match. The Fastify router decodes the path before routing, so a request such as "/%61dmin" matches the protected route without the middleware being executed. This flaw is an example of Improper Input Validation (CWE‑177) and Improper Check of Exception Response (CWE‑288), enabling attackers to gain unauthorized access to endpoints that are otherwise restricted.

Affected Systems

The issue affects the fastify:fastify‑express plugin in any Node.js application that uses @fastify/express version prior to 4.0.3. The vulnerability is present in every installation of the plugin that registers middleware with a specific path prefix before the patch is applied.

Risk and Exploitability

The risk is high, with a CVSS score of 8.4, yet the EPSS score is very low (<1%), indicating limited current exploitation activity. It is not listed in the CISA KEV catalog. The likely attack vector is remote, where an attacker crafts HTTP requests containing URL‑encoded paths to reach protected endpoints. No special privileges or additional network access are required beyond the ability to send HTTP traffic to the vulnerable application.

Generated by OpenCVE AI on April 18, 2026 at 05:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the @fastify/express package to version 4.0.3 or newer to incorporate the fix against URL‑encoding bypass.
  • Verify that all middleware path prefixes are explicit and test that encoded URLs still trigger the intended middleware logic.
  • Implement application‑level input validation or deploy a web application firewall that normalizes or rejects encoded URLs before they reach the application.

Generated by OpenCVE AI on April 18, 2026 at 05:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g6q3-96cp-5r5m @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
History

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify
Vendors & Products Fastify
Fastify fastify

Mon, 19 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue.
Title @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Weaknesses CWE-177
CWE-288
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Fastify Fastify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:34:44.100Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22037

cve-icon Vulnrichment

Updated: 2026-01-20T21:34:41.679Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T17:15:50.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses