Platform
nodejs
Component
@fastify/static
Fixed in
9.1.1
9.1.1
CVE-2026-6414 affects versions 8.0.0 through 9.1.1 of the @fastify/static Node.js package. This vulnerability allows attackers to bypass route-based middleware and access protected files by exploiting a mismatch in how path separators are handled. The vulnerability was published on 2026-04-16, and a patch is available in version 9.1.1.
The core of the issue lies in how @fastify/static decodes percent-encoded path separators (%2F) before resolving the filesystem path, while Fastify's router treats them as literal characters. This discrepancy creates a routing bypass. An attacker can craft a request with an encoded path, such as /admin%2Fsecret.html, which Fastify's router will not match against a /admin/* route guard. However, @fastify/static will decode this to /admin/secret.html and serve the file if it exists. This effectively circumvents any access controls implemented through route-based middleware or guards, potentially exposing sensitive data or allowing unauthorized actions.
As of the publication date (2026-04-16), there is no public proof-of-concept available. The vulnerability's severity is rated MEDIUM. It is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of the bypass, it's plausible that exploitation attempts could emerge, particularly in environments where @fastify/static is widely deployed and route-based access controls are relied upon.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary and recommended mitigation is to upgrade to @fastify/static version 9.1.1 or later, which addresses the routing mismatch. Unfortunately, there are no viable workarounds for this vulnerability. Rolling back to a previous version is not recommended as it reintroduces the vulnerability. Consider implementing stricter file access controls at the operating system level as an additional layer of defense, but this will not fully mitigate the risk. After upgrading, confirm the fix by attempting to access a protected file using an encoded path separator (e.g., /admin%2Fsecret.html) and verifying that access is denied.
Upgrade to version 9.1.1 of @fastify/static to resolve the vulnerability. This version fixes the issue by correctly handling encoded path separators, preventing route protection bypass. There are no workarounds.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6414 is a vulnerability in @fastify/static where percent-encoded path separators bypass route guards, allowing unauthorized file access.
You are affected if you are using @fastify/static versions 8.0.0 through 9.1.1 and rely on route-based middleware for file access control.
Upgrade to @fastify/static version 9.1.1 or later. There are no workarounds available.
As of the publication date, there is no confirmed active exploitation, but the vulnerability is potentially exploitable.
Refer to the official @fastify/static documentation and security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.