CVE-2026-6414
MEDIUM5.9EPSS 0.02%@fastify/static vulnerable to route guard bypass via encoded path separators
Published: 4/16/2026Modified: 4/16/2026
Description
### Impact `@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on `/admin/*` do not match `/admin%2Fsecret.html`, but @fastify/static decodes it to `/admin/secret.html` and serves the file. Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators. ### Patches Upgrade to `@fastify/static` >= 9.1.1. ### Workarounds None. Upgrade to the patched version.
Affected packages (1)
- npm/@fastify/static>= 8.0.0, < 9.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-6414
- PATCHhttps://github.com/fastify/fastify-static
- WEBhttps://cna.openjsf.org/security-advisories.html
- WEBhttps://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
- WEBhttps://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
- WEBhttps://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr