Skip to main content

Fastify Static

3 CVEs product

Monthly

CVE-2026-6414 npm MEDIUM PATCH GHSA This Month

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Static
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2021-22964 npm HIGH POC PATCH This Week

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Denial Of Service Fastify Static
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-22963 npm MEDIUM POC PATCH This Month

A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain:. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Open Redirect Fastify Static
NVD
CVSS 3.1
6.1
EPSS
1.1%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Static
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Denial Of Service Fastify Static
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain:. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Open Redirect Fastify Static
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy