chore(deps): update dependency @fastify/express to v4 [security] by renovate[bot] · Pull Request #3351 · open-telemetry/opentelemetry-js-contrib

renovate · 2026-01-20T20:39:22Z

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/express	`^3.0.0` → `^4.0.3`

GitHub Vulnerability Alerts

CVE-2026-22037

Summary

A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register fastify-express for Express-style middleware support
  await fastify.register(require('@&#8203;fastify/express'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  fastify.get('/admin/dashboard', async (request, reply) => {
    return { message: 'Admin dashboard' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3000 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

➜  ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>

(fastify express)

➜  ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}

It differs from CVE-2026-22031 because this is a different npm module with its own code.

Release Notes

fastify/fastify-express (@fastify/express)

`v4.0.3`

Compare Source

What's Changed

build(dependabot): reduce npm updates to monthly by @Fdawgs in #157
chore: rename master to main by @Fdawgs in #158
test: migrate to node test runner by @ilteoood in #159
ci(ci): set job permissions by @Fdawgs in #161
docs(readme): update plugin version syntax by @Fdawgs in #162
ci: set permissions at workflow level by @Fdawgs in #163
ci: restore job level permissions by @Fdawgs in #164
build(deps): bump express from 4.21.2 to 5.1.0 by @dependabot[bot] in #166
build(deps-dev): bump serve-static from 1.16.2 to 2.2.0 by @dependabot[bot] in #165
build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot[bot] in #168
chore(license): update date ranges; standardise style by @Fdawgs in #169
chore(.npmrc): ignore scripts by @Fdawgs in #171
ci(ci): add concurrency config by @Fdawgs in #172
build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in #170
fix: decode paths before matching by @mcollina in #174
fix: restore express4 by @Eomm in #176

New Contributors

@ilteoood made their first contribution in #159

Full Changelog: fastify/fastify-express@v4.0.2...v4.0.3

`v4.0.2`

Compare Source

What's Changed

build(deps-dev): bump helmet from 7.2.0 to 8.0.0 by @dependabot in #144
build(deps-dev): bump @types/express from 4.17.21 to 5.0.0 by @dependabot in #145
build(deps): bump fastify/workflows from 5.0.0 to 5.0.1 by @dependabot in #146
style: remove trailing whitespace by @Fdawgs in #147
docs(readme): update ci badge syntax by @Fdawgs in #149
build(deps-dev): replace standard with neostandard by @Fdawgs in #150
build(deps-dev): bump neostandard from 0.11.9 to 0.12.0 by @dependabot in #151
build(deps-dev): add eslint, peer dep of neostandard by @Fdawgs in #152
chore(package): add funding and contribs by @Fdawgs in #153
test: prefix unused params with underscores by @Fdawgs in #154
docs(readme): spelling and grammar fixes by @Fdawgs in #155
docs(readme): add compatibility table by @Fdawgs in #156

Full Changelog: fastify/fastify-express@v4.0.1...v4.0.2

`v4.0.1`

Compare Source

What's Changed

chore: update fastify to ^5.0.0 by @Fdawgs in #143

Full Changelog: fastify/fastify-express@v4.0.0...v4.0.1

`v4.0.0`

Compare Source

What's Changed

Merge next into master by @jsumners in #138
build(deps-dev): bump tap from 16.3.10 to 21.0.0 by @dependabot in #137
build(deps): bump fastify/workflows from 4.1.0 to 5.0.0 by @dependabot in #140
chore: update min fastify version by @Fdawgs in #139

Full Changelog: fastify/fastify-express@v3.0.0...v4.0.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot requested a review from a team as a code owner January 20, 2026 20:39

renovate bot added the dependencies Pull requests that update a dependency file label Jan 20, 2026

renovate bot assigned dyladan, legendecas, pichlermarc and trentm Jan 20, 2026

github-actions bot added pkg:instrumentation-fastify pkg-status:unmaintained This package is unmaintained. Only bugfixes may be acceped until a new owner has been found. labels Jan 20, 2026

renovate bot force-pushed the renovate/npm-fastify-express-vulnerability branch 4 times, most recently from 35a4f08 to 53071cf Compare January 22, 2026 08:56

renovate bot force-pushed the renovate/npm-fastify-express-vulnerability branch 3 times, most recently from fa76383 to d441445 Compare February 5, 2026 07:28

chore(deps): update dependency @fastify/express to v4 [security]

4f1fe51

renovate bot force-pushed the renovate/npm-fastify-express-vulnerability branch from d441445 to 4f1fe51 Compare February 5, 2026 07:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency @fastify/express to v4 [security]#3351

chore(deps): update dependency @fastify/express to v4 [security]#3351
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-fastify-express-vulnerability

renovate bot commented Jan 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

renovate bot commented Jan 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2026-22037

Summary

Details

PoC

Release Notes

v4.0.3

What's Changed

New Contributors

v4.0.2

What's Changed

v4.0.1

What's Changed

v4.0.0

What's Changed

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

renovate bot commented Jan 20, 2026 •

edited

Loading

`v4.0.3`

`v4.0.2`

`v4.0.1`

`v4.0.0`