4 matches found
CVE-2026-6414
A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass...
@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +632 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)
@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =4.76.1 - @akiojin/claude-worktree =1.33.0 and more Source cves: CVE-2026-6414 Source advisory: SNYK:JS-FASTIFYSTATIC-16098210...
CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...
CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...