VYPR

Fastify Static

by Fastify

Source repositories

CVEs (2)

  • CVE-2026-6414MedApr 16, 2026
    risk 0.31cvss 5.9epss 0.00

    @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served…

  • CVE-2026-6410MedApr 16, 2026
    risk 0.27cvss 5.3epss 0.01

    @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated…