GHSA-pr96-94w5-mx2h

Suggest an improvement
Source
https://github.com/advisories/GHSA-pr96-94w5-mx2h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-pr96-94w5-mx2h/GHSA-pr96-94w5-mx2h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pr96-94w5-mx2h
Aliases
  • CVE-2026-6410
Published
2026-04-16T22:34:30Z
Modified
2026-04-16T22:51:48.481303Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
@fastify/static vulnerable to path traversal in directory listing
Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Database specific 
{
    "nvd_published_at": "2026-04-16T14:16:20Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:34:30Z"
}
References

Affected packages

npm / @fastify/static

Package

Name
@fastify/static
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/static

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0
Fixed
9.1.1

Database specific

last_known_affected_version_range 
"<= 9.1.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-pr96-94w5-mx2h/GHSA-pr96-94w5-mx2h.json"