VDB
EN
MEDIUM 5.9

GHSA-x428-ghpx-8j92

@fastify/static vulnerable to route guard bypass via encoded path separators

상세

### Impact

`@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on `/admin/*` do not match `/admin%2Fsecret.html`, but @fastify/static decodes it to `/admin/secret.html` and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @fastify/static can be bypassed with encoded path separators.

### Patches

Upgrade to `@fastify/static` >= 9.1.1.

### Workarounds

None. Upgrade to the patched version.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @fastify/static
최초 영향 버전: 8.0.0 수정 버전: 9.1.1
수정 npm install @fastify/static@9.1.1

참고