Advisories for Npm/@Fastify/Static package

2026

@fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @fastify/static decodes it to /admin/secret.html and serves the file. Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.

@fastify/static vulnerable to path traversal in directory listing

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.