CVE-2026-6410

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414

The CVE concerns @fastify/static (versions 8.0.0–9.1.0) where percent-encoded path separators (%2F) are decoded before filesystem resolution, but Fastify’s router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware/guards that protect files served by...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

Improper Handling of URL Encoding (Hex Encoding)

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...

@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +626 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)

@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-6414 Source advisory: SNYK:JS-FASTIFYSTATIC-16098210...

Improper Access Control

@fastify/express is vulnerable to Improper Access Control. The vulnerability is due to incorrect path handling in the onRegister function, where middleware paths are duplicated when inherited by child plugins, causing them to not match incoming requests and resulting in bypass of security control...

EUVD-2026-22881

@fastify/express has a middleware authentication bypass via URL normalization gaps duplicate slashes and semicolons...

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

GHSA-6HW5-45GM-FJ88 @fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Summary @fastify/express v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. Duplicate slashes //admin/dashboard when...

EUVD-2026-22880

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes...

@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

GHSA-HRWM-HGMJ-7P9C @fastify/express's middleware path doubling causes authentication bypass in child plugin scopes

Summary @fastify/express v4.0.4 contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share ...

EUVD-2026-22877

Fastify's connection header abuse enables stripping of proxy-added headers...

Fastify's connection header abuse enables stripping of proxy-added headers

Summary @fastify/reply-from and @fastify/http-proxy process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers like access control or identification headers from upstream requests by...

GHSA-GWHP-PF74-VJ37 Fastify's connection header abuse enables stripping of proxy-added headers

Summary @fastify/reply-from and @fastify/http-proxy process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers like access control or identification headers from upstream requests by...

PT-2026-33320

Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.3.2 Description Inherited middleware is not registered directly on child plugin engine instances. When authentication middleware is registered in a parent scope and child plugins are registered with...