@hapi/inert has a static-file confinement bypass via sibling-prefix path
Description
A path traversal vulnerability in @hapi/inert allows unauthenticated attackers to bypass directory confinement and read files from a sibling directory whose name shares a prefix with the served directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in @hapi/inert allows unauthenticated attackers to bypass directory confinement and read files from a sibling directory whose name shares a prefix with the served directory.
Vulnerability
@hapi/inert before version 7.1.1 serves static files from directories configured via the path option in the directory or file handlers, or via relativeTo for h.file(). Confinement enforcement, enabled by default via the confine option, is intended to restrict access to files within the specified directory. However, the confinement check performed a raw string-prefix comparison between the resolved absolute path and the confine directory path. This allows a sibling directory whose absolute path begins with the same characters as the confine directory (e.g., /app/static-secret next to /app/static) to be incorrectly accepted as confined. An attacker who knows or can guess such a sibling name can exploit this flaw. [1][2][3]
Exploitation
An unauthenticated remote attacker can send a crafted HTTP request using path traversal sequences such as /..%2fstatic-secret/secret.txt to read arbitrary files from a sibling directory that shares a string prefix with the configured static-file directory. The attack requires no authentication or special privileges; only knowledge (or the ability to guess) the sibling directory's name and the existence of a readable file therein. The vulnerability is triggered when the served directory has a sibling whose name starts with the same characters as the served directory. [1][2]
Impact
Successful exploitation allows an attacker to read any file within the affected sibling directory that is readable by the server process. This can lead to unauthorized disclosure of sensitive information, such as configuration files, secrets, or other data stored alongside the intended static directory. The scope of impact depends on the contents of the sibling directory; applications without such sibling directories are unaffected. [1][2][3]
Mitigation
Upgrade to version 7.1.1, which fixes the confinement check. For users who cannot immediately upgrade, a workaround is to ensure that no sibling directory exists whose name starts with the same characters as the served directory; for example, rename a sibling like static-secret/ to secret/ or move it to a different parent directory. No other workarounds have been disclosed. [1][2][3]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
11 file changed · +1 −1
test/file.js+1 −1 modified@@ -303,7 +303,7 @@ describe('file', () => { const res = await server.inject('/filefn/index.js'); expect(res.statusCode).to.equal(200); expect(res.payload).to.contain('Set correct confine value'); - expect(res.headers['content-type']).to.equal('application/javascript; charset=utf-8'); + expect(res.headers['content-type']).to.equal('text/javascript; charset=utf-8'); expect(res.headers['content-length']).to.exist(); });
Vulnerability mechanics
Root cause
"The confinement check in `@hapi/inert` used a raw string-prefix test instead of a path-component boundary check, allowing sibling directories with a shared prefix to bypass confinement."
Attack vector
An unauthenticated remote attacker who knows or guesses a sibling directory name that shares a string prefix with the served directory can read any file inside it. The attacker sends a crafted request such as `/..%2fstatic-secret/secret.txt` to traverse out of the intended directory and into the sibling. The server's confinement check fails to reject the path because the sibling's absolute path starts with the same characters as the confine directory. Only applications that have a sibling directory sharing a string prefix with the served directory are exploitable.
Affected code
The vulnerability resides in the confinement check logic of `@hapi/inert`'s `directory`/`file` handlers and `h.file()` helper. The check compared the resolved absolute path against the confine directory using a raw string-prefix test, so a sibling directory whose absolute path begins with the same characters as the confine directory (e.g. `/app/static-secret` next to `/app/static`) was incorrectly accepted as confined.
What the fix does
The patch shown only adjusts a unit test assertion (changing `application/javascript` to `text/javascript`), which does not address the confinement bypass. The actual fix is described in the advisory: upgrade to version 7.1.1, which implements a proper path-component boundary check instead of the raw string-prefix comparison. The confinement check now ensures that the resolved path is truly a descendant of the confine directory rather than merely sharing a string prefix.
Preconditions
- configThe application must serve a directory via `@hapi/inert` that has a sibling directory whose name starts with the same characters as the served directory.
- inputThe attacker must know or guess the name of the sibling directory to craft the traversal path.
- configThe target file must be readable by the server process.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.