Vulnerability Description
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify-Static | >= 8.0.0, < 9.1.1 |
Related Weaknesses (CWE)
References
- https://cna.openjsf.org/security-advisories.htmlThird Party Advisory
- https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2MitigationVendor Advisory
FAQ
What is CVE-2026-6410?
CVE-2026-6410 is a vulnerability with a CVSS score of 5.3 (MEDIUM). @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static ...
How severe is CVE-2026-6410?
CVE-2026-6410 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6410?
Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify-Static.