Redirect Vulnerability in fastify-static Module by Fastify
CVE-2021-22964

8.8HIGH

Key Information:

Vendor: Fastify
Status: Https://github.com/fastify/fastify-static
Vendor: CVE Published:; 14 October 2021

What is CVE-2021-22964?

The fastify-static module versions between 4.2.4 and 4.4.0 exhibit a redirect vulnerability that allows remote attackers to exploit crafted URLs containing double slashes, which can lead users to arbitrary websites. Additionally, the module could be susceptible to denial of service attacks if manipulated with invalid characters. Applications using this module and enabling the redirect option (default is false) are particularly at risk.

Affected Version(s)

https://github.com/fastify/fastify-static Affected >= v4.2.4, Fixed v4.4.1

References

https://hackerone.com/reports/1361804

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2021
Vulnerability Reserved
Jan 6, 2021

CVE-2021-22964 Data

JSON