GHSA-pr96-94w5-mx2h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pr96-94w5-mx2h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-pr96-94w5-mx2h/GHSA-pr96-94w5-mx2h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pr96-94w5-mx2h
- Aliases
-
- CVE-2026-6410
- Published
- 2026-04-16T22:34:30Z
- Modified
- 2026-04-16T22:51:48.481303Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- @fastify/static vulnerable to path traversal in directory listing
- Details
-
Impact
@fastify/staticv9.1.0 and earlier serves directory listings outside the configured static root when thelistoption is enabled. A request such as/public/../outside/causesdirList.path()to resolve a directory outside the root viapath.join()without a containment check.A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.
Patches
Upgrade to
@fastify/static>= 9.1.1.Workarounds
Disable directory listing by removing the
listoption from the plugin configuration. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-16T22:34:30Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "nvd_published_at": "2026-04-16T14:16:20Z" }- References
Affected packages
npm / @fastify/static
Package
- Name
- @fastify/static
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/static