Scan free
MEDIUMCVE-2026-6414CVSS 5.9

CVE-2026-6414: Path Traversal in @fastify/static

Platform

nodejs

Component

@fastify/static

Fixed in

9.1.1

9.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-6414 affects versions 8.0.0 through 9.1.1 of the @fastify/static Node.js package. This vulnerability allows attackers to bypass route-based middleware and access protected files by exploiting a mismatch in how path separators are handled. The vulnerability was published on 2026-04-16, and a patch is available in version 9.1.1.

Impact and Attack Scenarios

The core of the issue lies in how @fastify/static decodes percent-encoded path separators (%2F) before resolving the filesystem path, while Fastify's router treats them as literal characters. This discrepancy creates a routing bypass. An attacker can craft a request with an encoded path, such as /admin%2Fsecret.html, which Fastify's router will not match against a /admin/* route guard. However, @fastify/static will decode this to /admin/secret.html and serve the file if it exists. This effectively circumvents any access controls implemented through route-based middleware or guards, potentially exposing sensitive data or allowing unauthorized actions.

Exploitation Context

As of the publication date (2026-04-16), there is no public proof-of-concept available. The vulnerability's severity is rated MEDIUM. It is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of the bypass, it's plausible that exploitation attempts could emerge, particularly in environments where @fastify/static is widely deployed and route-based access controls are relied upon.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports3 threat reports

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N5.9MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Component@fastify/static
Vendor@fastify/static
Affected rangeFixed in
8.0.0 – 9.1.19.1.1
8.0.09.1.1

Weakness Classification (CWE)

CWE-177

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary and recommended mitigation is to upgrade to @fastify/static version 9.1.1 or later, which addresses the routing mismatch. Unfortunately, there are no viable workarounds for this vulnerability. Rolling back to a previous version is not recommended as it reintroduces the vulnerability. Consider implementing stricter file access controls at the operating system level as an additional layer of defense, but this will not fully mitigate the risk. After upgrading, confirm the fix by attempting to access a protected file using an encoded path separator (e.g., /admin%2Fsecret.html) and verifying that access is denied.

How to fix

Upgrade to version 9.1.1 of @fastify/static to resolve the vulnerability. This version fixes the issue by correctly handling encoded path separators, preventing route protection bypass. There are no workarounds.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-6414 — Path Traversal in @fastify/static?

CVE-2026-6414 is a vulnerability in @fastify/static where percent-encoded path separators bypass route guards, allowing unauthorized file access.

Am I affected by CVE-2026-6414 in @fastify/static?

You are affected if you are using @fastify/static versions 8.0.0 through 9.1.1 and rely on route-based middleware for file access control.

How do I fix CVE-2026-6414 in @fastify/static?

Upgrade to @fastify/static version 9.1.1 or later. There are no workarounds available.

Is CVE-2026-6414 being actively exploited?

As of the publication date, there is no confirmed active exploitation, but the vulnerability is potentially exploitable.

Where can I find the official @fastify/static advisory for CVE-2026-6414?

Refer to the official @fastify/static documentation and security advisories for the most up-to-date information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs