Description

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

INFO

Published Date :

2026-04-16T13:29:08.120Z

Last Modified :

2026-04-16T14:19:36.780Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-6410 vulnerability.

Vendors Products
Fastify
  • Fastify-static
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-6410.

URL Resource
https://cna.openjsf.org/security-advisories.html cve-icon cve-icon cve-icon
https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-6410 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-6410 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact