Path Traversal Vulnerability in @fastify/static by Fastify
CVE-2026-6410

5.3MEDIUM

Key Information:

Vendor: @fastify/static
Status: @fastify/static
Vendor: CVE Published:; 16 April 2026

🔔 Create @fastify/static Vulnerability Alert

What is CVE-2026-6410?

The @fastify/static package versions 8.0.0 to 9.1.0 contain a significant path traversal vulnerability that occurs when directory listing is enabled by the 'list' option. This flaw allows a remote, unauthenticated attacker to retrieve directory listings of arbitrary directories that are accessible to the Node.js process. This is facilitated by the dirList.path() function, which resolves directories outside the designated static root due to a lack of containment checks when utilizing path.join(). Although file contents remain secure, this vulnerability poses a risk of exposing sensitive directory and file names. Users are advised to upgrade to @fastify/static version 9.1.1 to address this issue, or alternatively, disable directory listing by removing the 'list' option from their configuration.

Affected Version(s)

@fastify/static 8.0.0 < 9.1.1

@fastify/static 9.1.1

References

https://github.com/fastify/fastify-static/security/adviso...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

yuki-matsuhashi

mcollina

UlisesGascon

climba03003

CVE-2026-6410 Data

JSON