VYPR

npm package

@fastify/static

pkg:npm/%40fastify/static

Vulnerabilities (2)

  • CVE-2026-6410MedApr 16, 2026
    affected >= 8.0.0, < 9.1.1fixed 9.1.1

    @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated att

  • CVE-2026-6414MedApr 16, 2026
    affected >= 8.0.0, < 9.1.1fixed 9.1.1

    @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by