CVE-2026-6410

MEDIUM5.3EPSS 0.03%

@fastify/static vulnerable to path traversal in directory listing

Published: 4/16/2026Modified: 4/16/2026

Description

### Impact `@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `dirList.path()` to resolve a directory outside the root via `path.join()` without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed. ### Patches Upgrade to `@fastify/static` >= 9.1.1. ### Workarounds Disable directory listing by removing the `list` option from the plugin configuration.

Affected packages (1)

npm/@fastify/static>= 8.0.0, < 9.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-6410
PATCHhttps://github.com/fastify/fastify-static
WEBhttps://cna.openjsf.org/security-advisories.html
WEBhttps://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h