Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Fastify Static versions 8.0.0-9.1.0: Directory listings exposed
CVE-2026-6410
GHSA-pr96-94w5-mx2h
Summary
Using Fastify Static versions 8.0.0 through 9.1.0 and directory listing enabled, an attacker can see the names of files and directories outside your website's designated area. This is a security risk because sensitive information could be exposed. To fix this, update to version 9.1.1, or temporarily disable directory listing by removing the list option from your plugin configuration.
What to do
- Update fastify static to version 9.1.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | fastify | static |
>= 8.0.0, <= 9.1.0 Fix: upgrade to 9.1.1
|
Original title
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured stat...
Original description
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.
nvd CVSS3.1
5.3
Vulnerability type
CWE-22
Path Traversal
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026