CVE-2021-22964

A redirect vulnerability in the fastify-static module version = 4.2.4 and 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the...

CVE-2021-22964

CVE-2021-22964 describes a redirect vulnerability in the fastify-static module (versions >=4.2.4 and

Fastify-Static 输入验证错误漏洞

Fastify-Static is a plugin. It is used to serve static files as soon as possible. A security vulnerability exists in versions of the fastify-static module prior to 4.2.4, which can be exploited by an attacker to redirect a user to an arbitrary website using a double slash followed by a domain...

Fastify-Static 输入验证错误漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in the fastify-static module versions 4.2.4 through 4.4.1, which can be exploited by an attacker to redirect a user to an arbitrary website using a double-slash followed...

@wmfs/tymly-fastify-plugin (>=1.50.0 <=1.51.0), egg-bag (>=1.44.43 <=1.45.11) potentially affected by CVE-2021-22964 via fastify-static (>=4.2.4 <=4.4.0)

fastify-static NPM version =4.2.4, =1.50.0, =1.44.43, =1.45.11 Source cves: CVE-2021-22964 Source advisory: OSV:GHSA-PGH6-M65R-2RHQ...

DOS and Open Redirect with user input

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e. A DOS vulnerability is possible if the URL contains inval...

GHSA-PGH6-M65R-2RHQ DOS and Open Redirect with user input

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e. A DOS vulnerability is possible if the URL contains inval...

Fastify: 1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch

Summary: When fastify-static is mounted at root and registered the option redirect: true default of redirect option is false, the following line directly feed user's input which is req.raw.url to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.jsL439. A remo...

@acot/acot-config (>=0.0.4 <=0.0.8), @acot/acot-preset-axe (>=0.0.4 <=0.0.8) +253 more potentially affected by CVE-2021-22963 via fastify-static (>=0.10.1 <=4.2.3)

fastify-static NPM version =0.10.1, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =1.1.0, =1.0.0, =1.0.1, =1.0.0-beta.1, =0.1.1-alpha.1, =0.1.0, =0.1.0, =1.0.0, =1.10.0 and more Source cves: CVE-2021-22963 Source advisory: OSV:GHSA-P6VG-P826-QP3V...

GHSA-P6VG-P826-QP3V URL Redirection to Untrusted Site ('Open Redirect') in fastify-static

Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e. The issue shows up on all the fastify-static applications that set...

Fastify: Open redirect in fastify-static via mishandled user's input when attempt to redirect

Summary: When fastify-static is mounted at root and the register option redirect: true, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.jsL156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash:...