Home

Description

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-16 | Updated 2026-04-16 | Assigner openjs




MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-177: Improper Handling of URL Encoding (Hex Encoding)

Product status

Default status
unaffected

8.0.0 (semver) before 9.1.1
affected

9.1.1 (semver)
unaffected

Credits

blakeembrey reporter

mcollina remediation developer

UlisesGascon remediation reviewer

climba03003 remediation reviewer

References

github.com/...middie/security/advisories/GHSA-cxrg-g7r8-w69p

github.com/...s/hono/security/advisories/GHSA-q5qw-h33p-qvwr

github.com/...static/security/advisories/GHSA-x428-ghpx-8j92

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-6414)

nvd.nist.gov (CVE-2026-6414)

Download JSON