Cyber Posture

CVE-2026-22031

HighPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0011 29.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of…

more

`/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the path decoding flaw in @fastify/middie via upgrade to version 9.1.0.

AC-3 Access Enforcement good match
prevent

Enforces access controls that must consistently handle URL-encoded paths to prevent bypass of middleware protections like authentication on protected endpoints.

SI-10 Information Input Validation good match
prevent

Requires validation of URL path inputs to ensure consistent decoding and matching across middleware and router components, preventing exploitation via encoded variants.

Security SummaryAI

CVE-2026-22031 is a security vulnerability in the @fastify/middie plugin, which provides enhanced middleware support for the Fastify web framework. Affecting versions prior to 9.1.0, the issue stems from the middleware engine's failure to properly handle URL-encoded characters in path prefixes. For example, a path like `/admin` protected by middleware can be bypassed by sending an encoded variant such as `/%61dmin`, where `%61` decodes to `a`. While the middleware skips execution due to a path mismatch, Fastify's underlying router decodes the path correctly and proceeds to match and execute the route handler.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H) due to the need for precise encoding. Successful exploitation allows bypassing middleware constraints, such as authentication or authorization checks, on protected endpoints. This grants high confidentiality and integrity impacts (C:H/I:H) with low availability impact (A:L), and the scope changes (S:C) to affect the Fastify router component.

Mitigation is available via upgrade to version 9.1.0 of @fastify/middie, which addresses the path matching issue. Relevant advisories and fixes are detailed in the GitHub security advisory (GHSA-cxrg-g7r8-w69p), pull request #245, commit d44cd56eb724490babf7b452fdbbdd37ea2effba, and the v9.1.0 release notes. The vulnerability is classified under CWE-177 (Incorrect Behavior Order: Early Validation) with a CVSS v3.1 base score of 8.4.

Details

CWE(s)
CWE-177

Affected Products

openjsf
\@fastify\/middie
≤ 9.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables bypassing authentication/authorization middleware in public-facing Fastify web applications via URL-encoded path mismatches, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References