Moderate severityNVD Advisory· Published Jan 15, 2024· Updated Jun 17, 2025
Default swagger-ui configuration exposes all files in the module
CVE-2024-22207
Description
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the baseDir option can also work around this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fastify/swagger-uinpm | >= 2.0.0, < 2.1.0 | 2.1.0 |
Affected products
2- Range: < 2.1.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-62jr-84gf-wmg4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22207ghsaADVISORY
- github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7ghsax_refsource_MISCWEB
- github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20240216-0002ghsaWEB
- security.netapp.com/advisory/ntap-20240216-0002/mitre
News mentions
0No linked articles in our index yet.