CVE-2026-6410
MEDIUM5.3EPSS 0.03%@fastify/static vulnerable to path traversal in directory listing
發布日:2026/4/16修改日:2026/4/16
描述
### Impact `@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `dirList.path()` to resolve a directory outside the root via `path.join()` without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed. ### Patches Upgrade to `@fastify/static` >= 9.1.1. ### Workarounds Disable directory listing by removing the `list` option from the plugin configuration.
受影響套件(1)
- npm/@fastify/static>= 8.0.0, < 9.1.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |