MEDIUM 5.9
GHSA-x428-ghpx-8j92
@fastify/static vulnerable to route guard bypass via encoded path separators
상세
### Impact
`@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on `/admin/*` do not match `/admin%2Fsecret.html`, but @fastify/static decodes it to `/admin/secret.html` and serves the file.
Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.
### Patches
Upgrade to `@fastify/static` >= 9.1.1.
### Workarounds
None. Upgrade to the patched version.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92 [WEB]
- https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p [WEB]
- https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-6414 [ADVISORY]
- https://cna.openjsf.org/security-advisories.html [WEB]
- https://github.com/fastify/fastify-static [PACKAGE]