VDB
KO
MEDIUM 5.9

GHSA-x428-ghpx-8j92

@fastify/static vulnerable to route guard bypass via encoded path separators

Details

### Impact

`@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on `/admin/*` do not match `/admin%2Fsecret.html`, but @fastify/static decodes it to `/admin/secret.html` and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.

### Patches

Upgrade to `@fastify/static` >= 9.1.1.

### Workarounds

None. Upgrade to the patched version.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @fastify/static
Introduced in: 8.0.0 Fixed in: 9.1.1
Fix npm install @fastify/static@9.1.1

References