4 matches found
CVE-2021-22964
CVE-2021-22964 describes a redirect vulnerability in the fastify-static module (versions >=4.2.4 and
CVE-2021-22963
CVE-2021-22963 describes a redirect vulnerability in the fastify-static module (versions before 4.2.4). When applications enable redirect: true, an attacker can trick users into visiting arbitrary sites by using a double slash followed by a domain (e.g., //domain). The issue affects fastify-stati...
CVE-2026-6414
The CVE concerns @fastify/static (versions 8.0.0–9.1.0) where percent-encoded path separators (%2F) are decoded before filesystem resolution, but Fastify’s router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware/guards that protect files served by...
CVE-2026-6410
Affected product/component: @fastify/static, versions 8.0.0–9.1.0. Root cause: dirList.path() uses path.join() to resolve directories outside the configured static root without containment checks, enabling path traversal when directory listing is enabled via the list option. Impact: remote unauth...