A redirect vulnerability in the fastify-static
module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash //
followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e
.
A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is "http://localhost:3000//^/.."
The issue shows up on all the fastify-static
applications that set redirect: true
option. By default, it is false
.
The issue has been patched in [email protected]
If updating is not an option, you can sanitize the input URLs using the rewriteUrl
server option.
If you have any questions or comments about this advisory: