Key Information on Vulnerability from the Screenshot Summary Vulnerability: Fastify Middleware Path Bypass Package: Affected Versions: <=9.0.3 Patched Versions: 9.1.0 Severity: High (8.4/10) Description Summary: - A security vulnerability exists in where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., instead of ). - The middleware engine fails to match the encoded path and skips execution, but the Fastify router decodes the path and matches the route handler, allowing attackers to access protected endpoints. Details 1. Regex Generation: generates a regex for the path using . 2. Request Matching: The regex is matched against (or ). 3. The Flaw: contains the raw, undecoded path string. - Generated regex expects a decoded path. - If a request is sent to , the regex comparison fails. - assumes the middleware does not apply and calls . 4. Route Execution: Request proceeds to Fastify’s internal router, decodes the URL, and executes the route handler. Impact Type: Authentication/Authorization Bypass Affected Components: Applications using for security controls on specific route prefixes. Severity: High; attackers can bypass security middleware to access protected admin or sensitive endpoints. CVSS Metrics Severity: High (8.4/10) Base Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: Low CVE ID CVE-2026-22031 Weaknesses CWE-177 Credits Reporter: rootxharsh Remediation Developers: kamilmysliwiec, Eomm Coordinator: mcollina