npm package
@fastify/static
pkg:npm/%40fastify/static
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6410 | Med | 5.3 | >= 8.0.0, < 9.1.1 | 9.1.1 | Apr 16, 2026 | @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated att | |
| CVE-2026-6414 | Med | 5.9 | >= 8.0.0, < 9.1.1 | 9.1.1 | Apr 16, 2026 | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by |
- affected >= 8.0.0, < 9.1.1fixed 9.1.1
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated att
- affected >= 8.0.0, < 9.1.1fixed 9.1.1
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by