CVE-2026-6410
- EPSS 0.51%
- Veröffentlicht 16.04.2026 13:29:08
- Zuletzt bearbeitet 23.04.2026 19:31:39
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check...
CVE-2026-6414
- EPSS 0.4%
- Veröffentlicht 16.04.2026 13:16:52
- Zuletzt bearbeitet 23.04.2026 19:41:18
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guard...
CVE-2021-22963
- EPSS 1.13%
- Veröffentlicht 14.10.2021 15:15:08
- Zuletzt bearbeitet 21.11.2024 05:51:01
A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the f...
CVE-2021-22964
- EPSS 0.99%
- Veröffentlicht 14.10.2021 15:15:08
- Zuletzt bearbeitet 21.11.2024 05:51:01
A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/...