Platform
nodejs
Component
node.js
Fixed in
9.1.1
9.1.1
CVE-2026-6410 describes a Path Traversal vulnerability found in the @fastify/static Node.js plugin. This vulnerability allows an unauthenticated attacker to potentially disclose directory listings, revealing file and directory names within the Node.js process. The vulnerability affects versions 8.0.0 through 9.1.0 of the plugin, and a fix is available in version 9.1.1. Disabling directory listing is a viable workaround.
The primary impact of CVE-2026-6410 is the potential for information disclosure. While file contents are not directly exposed, an attacker can leverage this vulnerability to map the directory structure accessible to the Node.js process. This information could be used for reconnaissance, identifying potential targets for further attacks, or understanding the application's internal workings. The ability to enumerate directories provides a significant advantage to attackers, allowing them to identify sensitive files or configuration data that might be present. This vulnerability is similar in impact to other path traversal vulnerabilities where directory structures are exposed, though it lacks the ability to directly read file contents.
CVE-2026-6410 was publicly disclosed on 2026-04-16. There is no indication of active exploitation campaigns or KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the vulnerability's nature makes it likely that such exploits will emerge. The EPSS score is likely to be low to medium, reflecting the need for attacker interaction and the limited impact (directory listing only).
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-6410 is to upgrade to @fastify/static version 9.1.1 or later, which contains the fix. If upgrading is not immediately feasible, a workaround is to disable directory listing by removing the list option from the plugin configuration. This prevents the directory listing functionality from being exposed, effectively mitigating the path traversal risk. Review your application's configuration to ensure that directory listing is not enabled unnecessarily. After upgrading, confirm the fix by attempting to access a directory listing endpoint; it should return a 403 Forbidden error.
Update the @fastify/static package to version 9.1.1 or higher to resolve the path traversal vulnerability. As an alternative, disable directory listing by removing the 'list' option from the plugin configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6410 is a vulnerability in @fastify/static allowing attackers to disclose directory listings. It affects versions 8.0.0 through 9.1.0.
You are affected if you use @fastify/static versions 8.0.0 to 9.1.0 and have directory listing enabled.
Upgrade to @fastify/static version 9.1.1 or disable directory listing by removing the 'list' option from the plugin configuration.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official @fastify/static project repository and security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.