CVE-2026-6414: @fastify/static vulnerable to route guard bypass via encoded path separators
@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify’s router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @fastify/static decodes it to /admin/secret.html and serves the file.
Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.
References
- cna.openjsf.org/security-advisories.html
- github.com/advisories/GHSA-x428-ghpx-8j92
- github.com/fastify/fastify-static
- github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
- github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
- github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
- nvd.nist.gov/vuln/detail/CVE-2026-6414
Code Behaviors & Features
Detect and mitigate CVE-2026-6414 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →