{"id":"CVE-2021-22964","details":"A redirect vulnerability in the `fastify-static` module version \u003e= 4.2.4 and \u003c 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is \"http://localhost:3000//^/..\"`The issue shows up on all the `fastify-static` applications that set `redirect: true` option. By default, it is `false`.","aliases":["GHSA-pgh6-m65r-2rhq"],"modified":"2026-03-14T10:46:09.179065Z","published":"2021-10-14T15:15:08.933Z","references":[{"type":"FIX","url":"https://hackerone.com/reports/1361804"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fastify/fastify-static","events":[{"introduced":"d97b2cf6a0353e784ad2674aaecd6508ac74130d"},{"fixed":"f324f8b5013a130885c4857aad50afa113f21eae"}],"database_specific":{"versions":[{"introduced":"4.2.4"},{"fixed":"4.4.1"}]}}],"versions":["v4.2.4","v4.3.0","v4.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22964.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H"}]}