CVE-2026-22037

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.3

Description A security issue exists in the @fastify/express plugin, which provides Express compatibility for Fastify. The problem occurs when middleware is registered with a specific path prefix. Attackers can bypass the middleware by using URL-encoded characters in the request path, such as /%61dmin instead of /admin. The Fastify router correctly decodes the path and matches the route handler, allowing access to protected endpoints without the intended middleware restrictions. This bypass is due to how @fastify/express matches requests against registered middleware paths.

Recommendations Update to @fastify/express version 4.0.3 or later.