A redirect vulnerability in the fastify-static
module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash //
followed by a domain: http://localhost:3000//google.com/%2e%2e
.
The issue shows up on all the fastify-static
applications that set redirect: true
option. By default, it is false
.
The issue has been patched in [email protected]
If updating is not an option, you can sanitize the input URLs using the rewriteUrl
server option.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
fastify-static | lt | 4.2.4 |