Medium severity5.9NVD Advisory· Published Apr 16, 2026· Updated Apr 23, 2026
CVE-2026-6414
CVE-2026-6414
Description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fastify/staticnpm | >= 8.0.0, < 9.1.1 | 9.1.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-x428-ghpx-8j92ghsaADVISORY
- github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-6414ghsaADVISORY
- github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69pnvdNot ApplicableWEB
- github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwrnvdNot ApplicableWEB
News mentions
0No linked articles in our index yet.