CVE-2026-6410 PUBLISHED

@fastify/static vulnerable to path traversal in directory listing

Assigner: openjs
Reserved: 15.04.2026 Published: 16.04.2026 Updated: 16.04.2026

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	@fastify/static
Product	@fastify/static
Versions	Default: unaffected affected from 8.0.0 to 9.1.1 (excl.) Version 9.1.1 is unaffected

Credits

yuki-matsuhashi finder
mcollina remediation developer
UlisesGascon remediation reviewer
climba03003 remediation reviewer

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE