51 matches found
Improper Handling of URL Encoding (Hex Encoding)
Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...
@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +626 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)
@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-6414 Source advisory: SNYK:JS-FASTIFYSTATIC-16098210...
CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...
Fastify-Static 安全漏洞
Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 contain security vulnerabilities. These vulnerabilities stem from decoding percent-encoded path separators, which may allow...
Fastify-Static 安全漏洞
Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 have security vulnerabilities; these vulnerabilities stem from path traversal when directory listings are enabled, which may lead...
PT-2026-33313
Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description @fastify/static decodes percent-encoded path separators '%2F' before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a...
PT-2026-33321
Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description Path traversal occurs when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a...
EUVD-2021-2236
Malware in sbrugna...
EUVD-2021-2234
Malware in sbrugna...
The vulnerability of the redirect parameter in the fastify-static plugin allows a hacker to redirect users of Mozilla Firefox to arbitrary websites.
The vulnerability of the redirect parameter in the fastify-static plugin relates to the ability to redirect users to untrusted URLs. Exploiting this vulnerability allows a malicious actor to redirect users of Mozilla Firefox to arbitrary websites...
CVE-2021-22964
A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...
CVE-2021-22963
A redirect vulnerability in the fastify-static module version 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: tru...
CVE-2021-22963
A redirect vulnerability in the fastify-static module version 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: tru...
CVE-2021-22964
A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...
CVE-2021-22964
A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...
CVE-2021-22963
A redirect vulnerability in the fastify-static module version 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: tru...
Design/Logic Flaw
A redirect vulnerability in the fastify-static module version 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: tru...
Design/Logic Flaw
A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...
CVE-2021-22963
CVE-2021-22963 describes a redirect vulnerability in the fastify-static module (versions before 4.2.4). When applications enable redirect: true, an attacker can trick users into visiting arbitrary sites by using a double slash followed by a domain (e.g., //domain). The issue affects fastify-stati...
CVE-2021-22963
A redirect vulnerability in the fastify-static module version 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: tru...