{"id":"CVE-2026-6410","summary":"@fastify/static vulnerable to path traversal in directory listing","details":"@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.","aliases":["GHSA-pr96-94w5-mx2h"],"modified":"2026-07-08T08:11:37.192825630Z","published":"2026-04-16T13:29:08.120Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6410.json","cwe_ids":["CWE-22"],"cna_assigner":"openjs"},"references":[{"type":"ADVISORY","url":"https://cna.openjsf.org/security-advisories.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6410.json"},{"type":"ADVISORY","url":"https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6410"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fastify/fastify-static","events":[{"introduced":"85a80f11f76a0f49d7186c8e512daedcafe21153"},{"fixed":"48b136f5d8da0efea328f49f6202ab3edabf608b"}],"database_specific":{"extracted_events":[{"introduced":"8.0.0"},{"fixed":"9.1.1"}],"cpe":"cpe:2.3:a:fastify:fastify-static:*:*:*:*:*:*:*:*","source":["AFFECTED_FIELD","CPE_RANGE"]}}],"versions":["v9.1.0","v9.0.0","v8.3.0","v8.2.0","v8.1.1","v8.1.0","v8.0.4","v8.0.3","v8.0.2","v8.0.1","v8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6410.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}