Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Fastify Static Path Decoding Allows File Access Bypass
CVE-2026-6414
GHSA-x428-ghpx-8j92
Summary
The Fastify Static package incorrectly decodes path separators in URLs, allowing attackers to bypass security protections. This affects users of Fastify Static versions 8.0.0 through 9.1.0. To fix this issue, update to the latest version of Fastify Static, version 9.1.1, as there are no workarounds available.
What to do
- Update fastify static to version 9.1.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | fastify | static |
>= 8.0.0, <= 9.1.0 Fix: upgrade to 9.1.1
|
Original title
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allow...
Original description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
nvd CVSS3.1
5.9
Vulnerability type
CWE-177
- https://cna.openjsf.org/security-advisories.html
- https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j9...
- https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
- https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
- https://nvd.nist.gov/vuln/detail/CVE-2026-6414
- https://github.com/advisories/GHSA-x428-ghpx-8j92
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026