Description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Published: 2026-04-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Route Guard Bypass via Encoded Path Separators
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in @fastify/static between versions 8.0.0 and 9.1.0 involves the plugin decoding percent‑encoded path separators (%2F) before resolving the file system path, while the Fastify router treats the encoded sequence as a literal slash. This inconsistency lets an attacker craft a URL that bypasses route‑based middleware or guards placed around static asset routes. The attack does not provide code execution but can expose files that should be protected. Based on the description, it is inferred that access to otherwise restricted static content may be gained. The weakness is related to CWE‑177 (Path Traversal) and CWE‑76 (Improper Handling of Encoded Input).

Affected Systems

Node.js applications that use @fastify/static (catalogued as @fastify/static) are affected in all releases from 8.0.0 through 9.1.0. The vulnerability also applies to frameworks that employ the forked version of @fastify/static, such as Hono.

Risk and Exploitability

The CVSS score of 5.9 denotes moderate severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The ability to bypass route guards depends on receiving an HTTP request containing percent‑encoded slash characters; this request is trivial to construct. Based on the description, it is inferred that bypassing the guard may reveal confidential files, potentially resulting in data disclosure. No remote code execution is provided, but the exposure of sensitive assets could have significant business impact.

Generated by OpenCVE AI on April 17, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @fastify/static to version 9.1.1 or later.
  • Update any custom middleware or route guards that rely on the Fastify router’s interpretation of encoded path separators to accommodate the plugin’s new behavior.
  • Implement a pre‑router validation step that rejects or logs requests containing percent‑encoded slash characters, adding an extra barrier against future bypass attempts.
  • Conduct a security review of static asset routing to ensure that sensitive files are not exposed through static folders or incorrectly configured routes.

Generated by OpenCVE AI on April 17, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x428-ghpx-8j92 @fastify/static vulnerable to route guard bypass via encoded path separators
History

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-76
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify-static
Vendors & Products Fastify
Fastify fastify-static

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Title @fastify/static vulnerable to route guard bypass via encoded path separators
Weaknesses CWE-177
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fastify Fastify-static
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-04-16T13:48:52.393Z

Reserved: 2026-04-15T23:37:33.949Z

Link: CVE-2026-6414

cve-icon Vulnrichment

Updated: 2026-04-16T13:48:41.093Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T13:16:52.243

Modified: 2026-04-17T15:17:00.957

Link: CVE-2026-6414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-16T13:09:03Z

Links: CVE-2026-6414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses