@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL.
Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 4
https://cna.openjsf.org/security-advisories.html
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j…
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
ce714d77-add3-4f53-aff5-83d477b104bb