CVE-2026-6410: @fastify/static vulnerable to path traversal in directory listing

April 16, 2026

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-pr96-94w5-mx2h
github.com/fastify/fastify-static
github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
nvd.nist.gov/vuln/detail/CVE-2026-6410

Code Behaviors & Features

Detect and mitigate CVE-2026-6410 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →