CVE-2026-6414 PUBLISHED

@fastify/static vulnerable to route guard bypass via encoded path separators

Assigner: openjs
Reserved: 15.04.2026 Published: 16.04.2026 Updated: 16.04.2026

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	@fastify/static
Product	@fastify/static
Versions	Default: unaffected affected from 8.0.0 to 9.1.1 (excl.) Version 9.1.1 is unaffected

Credits

blakeembrey reporter
mcollina remediation developer
UlisesGascon remediation reviewer
climba03003 remediation reviewer

References

Problem Types

CWE-177: Improper Handling of URL Encoding (Hex Encoding) CWE