GHSA-PR96-94W5-MX2H
Vulnerability from github – Published: 2026-04-16 22:34 – Updated: 2026-04-16 22:34
VLAI?
Summary
@fastify/static vulnerable to path traversal in directory listing
Details
Impact
@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.
A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.
Patches
Upgrade to @fastify/static >= 9.1.1.
Workarounds
Disable directory listing by removing the list option from the plugin configuration.
Severity ?
5.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.1.0"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/static"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "9.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6410"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:34:30Z",
"nvd_published_at": "2026-04-16T14:16:20Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n`@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `dirList.path()` to resolve a directory outside the root via `path.join()` without a containment check.\n\nA remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.\n\n### Patches\n\nUpgrade to `@fastify/static` \u003e= 9.1.1.\n\n### Workarounds\n\nDisable directory listing by removing the `list` option from the plugin configuration.",
"id": "GHSA-pr96-94w5-mx2h",
"modified": "2026-04-16T22:34:30Z",
"published": "2026-04-16T22:34:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6410"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-static"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@fastify/static vulnerable to path traversal in directory listing"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…