CVE-2026-6414
Received Received - Intake
Path Traversal Bypass in @fastify/static via Encoded Separators

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: openjs

Description
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6414
EUVD
EUVD-2026-23227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify-static From 8.0.0 (inc) to 9.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-177 The product does not properly handle when all or part of an input has been URL encoded.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static by exploiting a mismatch in path separator decoding. Such unauthorized access to protected files could lead to exposure of sensitive data.

By potentially exposing protected files or data, this vulnerability may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not explicitly describe the compliance impact or specific regulatory consequences.

Executive Summary

The vulnerability exists in @fastify/static versions 8.0.0 through 9.1.0 where percent-encoded path separators (%2F) are decoded before filesystem resolution, but Fastify's router treats these encoded separators as literal characters. This inconsistency allows attackers to bypass route-based middleware or guards that are intended to protect files served by @fastify/static.

For example, an attacker can circumvent a route guard on a protected path by encoding the path separator in the URL, effectively bypassing security controls.

The issue is fixed in @fastify/static version 9.1.1, and there are no workarounds available.

Impact Analysis

This vulnerability can allow attackers to bypass route-based middleware or guards that protect sensitive files served by @fastify/static. As a result, unauthorized users may gain access to protected resources or files that should otherwise be restricted.

Such unauthorized access can lead to exposure of sensitive information or data leakage, potentially compromising the security of your application.

Mitigation Strategies

Upgrade @fastify/static to version 9.1.1 or later to fix the issue.

There are no workarounds available for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart