CVE-2026-6410 MEDIUM

CVE-2026-6410: @fastify/static vulnerable to path traversal in directory listing

Vendor @Fastify/Static
Product @fastify/static
Weakness CWE-22 · Path traversal
Published April 16, 2026
Last update April 16, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 16, 2026 Record updated